CopSSH SFTP -- limit users access to their home directory only
Let me preface this by saying I've read and followed these instructions at the FAQ many times: http://www.itefix.no/i2/node/37
It does not do what the title claims... It allows every user access to every other user's home directory, as well as access to all subfolders below the copssh installation path.
I'm only using this for SFTP access and I need my users to be sandboxed into only their home directory.
If you know a fool-proof way to lock users down so they can see only their home directory and its subfolders, stop reading now and reply with the solution.
The details:
Here is exactly what i tried as I followed the FAQ. My copSSH installation directory is: C:\Program Files\CopSSH
net localgroup sftp_users /ADD **Create a user group to hold all my SFTP users
cacls c:\ /c /e /t /d sftp_users **For that group, deny access at the top level and all levels below
cacls "C:\Program Files\CopSSH" /c /e /t /r sftp_users **Allow my user group access to the copSSH installation directory and its subdirectories
For each sftp user, I create a new windows user account, then I:
net localgroup sftp_users sftp_user_1 /add **Add my user to the group I've created
Open the activate user wizard for CopSSH, choosing the user, "/bin/sftponly" and
- Remove copssh home directory if it exists **Remains checked
- Create keys for public key authentication **Remains checked
- Create link to user's real home directory **Remains checked
This works, however, every user has access to every other user's home directory as well as the CopSSH root directory....
So I tried denying access for all users to the user home directory:
cacls "C:\Program Files\CopSSH\home" /c /e /t /d sftp_users **Deny access for users to the user home directory
Then I tried adding permissions on a user-by-user basis for each users home\username folder. However,these permission were not allowed by windows because of the above deny rule i created at the home directory was being inherited and over-riding my allow rule.
The next step for me would be to remove the deny rule at the home directory and for each user folder, add a deny rule for every user it doesn't belong to, and add an allow rule for the one user it does belong to.
However, as my user list gets long, this will become very cumbersome.
Thanks for the help!
Solution 1:
- create group 'SSH Users' in computer management
- Add group to gpedit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally (see Can't login to Cygwin sshd server with a non-administrator user account)
- run gpupdate
- Add ftpuser to group SSH Users
-
Append details in /etc/sshd_config:
Subsystem sftp internal-sftp Match User ftpuser ChrootDirectory /home/ftpuser X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
(the keywords on the lines following the
Match
directive apply only to the userftpuser
and override those set in the global section of the config file, until either anotherMatch
line or the end of the file.) - Activate ftpuser user through copSSH wizard
- Delete all .ssh .bashprofile files/folders under ftpuser folder
-
Set SvcCOPSSH user to root id 0
SvcCOPSSH:unused_by_nt/2000/xp:**0**:545:U...
(see http://www.itefix.no/i2/node/11956)
-
Might need to do the following as well in copSSH 'UNIX BASH Shell'
cd / chown SvcCOPSSH / chmod 0755 /
restart openssh service