Hello List. ? i?m trying to setup a limited SSH server with SFTP. The requirements: -????????? There are users to whom only SFTP should be available. (sftp-only group) -????????? There are users to whom SFTP and shell access should be available (admin group) -????????? SFTP clients have to authenticate with username and password -????????? shell users have to authenticate with private key. ? I put Into the sshd_config global section: PasswordAuthentication no ? and the end of the sshd_config: Subsystem?????? sftp??? internal-sftp ? Match Group admin ??? AllowTCPForwarding yes ??? X11Forwarding yes ??? ForceCommand bash ? Match Group sftp-only ??? PasswordAuthentication yes ??? AllowTCPForwarding no ??? X11Forwarding no ??? ForceCommand internal-sftp ? This config works well for SFTP users ? but if a user is a member of both group, the SFTP client fails to connect. Obviously because of the ForceCommand. ? Is there a way to achieve the requirements above? Is there a way to create rules according to connection type? I mean ? is there any difference within the connection/authentication between eg. PuTTy and FileZilla? ? Thank you, Csaba ? -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 7857 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140625/d1be171f/attachment.bin>
M?rk Csaba wrote:> Match Group admin > ??? AllowTCPForwarding yes > ??? X11Forwarding yes > ??? ForceCommand bash> Is there a way to achieve the requirements above?Remove the admin ForceCommand.> Is there a way to create rules according to connection type?In theory there's a way, but it's unreliable and unsecured. It heuristics on plain text sent before any crypto is used. Such rules could be tricked with a telnet client. //Peter
On Tue, Jun 24, 2014 at 8:30 PM, M?rk Csaba <markcs at gwyll.eu> wrote:> Hello List. > > > i?m trying to setup a limited SSH server with SFTP. > > The requirements: > > - There are users to whom only SFTP should be available. (sftp-only group) > > - There are users to whom SFTP and shell access should be available (admin group) > > - SFTP clients have to authenticate with username and password > > - shell users have to authenticate with private key. > > > I put Into the sshd_config global section: > > PasswordAuthentication no > > > and the end of the sshd_config: > > Subsystem sftp internal-sftp > > > Match Group admin > > AllowTCPForwarding yes > > X11Forwarding yes > > ForceCommand bash > > > Match Group sftp-only > > PasswordAuthentication yes > > AllowTCPForwarding no > > X11Forwarding no > > ForceCommand internal-sftp > > > This config works well for SFTP users ? but if a user is a member of both group, the SFTP client fails to connect. Obviously because of the ForceCommand. > > > Is there a way to achieve the requirements above? > > Is there a way to create rules according to connection type? I mean ? is there any difference within the connection/authentication between eg. PuTTy and FileZilla?Put your limited sftp server on a separate port, or your SSH server on a separate port, to start with. That way you don't wind up mixing and matching the configurations.
On Wed, 25 Jun 2014, M?rk Csaba wrote:> Match Group admin > > AllowTCPForwarding yes > > X11Forwarding yes > > ForceCommand bash > > > Match Group sftp-only > > PasswordAuthentication yes > > AllowTCPForwarding no > > X11Forwarding no > > ForceCommand internal-sftp > > > This config works well for SFTP users ? but if a user is a member of > both group, the SFTP client fails to connect. Obviously because of the > ForceCommand."Match group sftp-only,!admin" for the second case might and removing the "ForceCommand bash" from the first might work.
Thank you guys for the answers. The "Match group sftp-only,!admin" didn't worked with a user which is in both group. But it shows me that this is not a good idea. :) I've modified the rules ... so only "Match group sftp-only" left in the config ... the users in the admin group have to use their private key to connect to SFTP. This is an acceptable compromise. Thank you for your help and your time! Regards, Csaba -----Original Message----- From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+markcs=gwyll.eu at mindrot.org] On Behalf Of Damien Miller Sent: Wednesday, June 25, 2014 7:09 AM "Match group sftp-only,!admin" for the second case might and removing the "ForceCommand bash" from the first might work. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2373 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140625/4160943c/attachment.bin>