CopSSH SFTP -- limit users access to their home directory only

Let me preface this by saying I've read and followed these instructions at the FAQ many times: http://www.itefix.no/i2/node/37

It does not do what the title claims... It allows every user access to every other user's home directory, as well as access to all subfolders below the copssh installation path.

I'm only using this for SFTP access and I need my users to be sandboxed into only their home directory.

If you know a fool-proof way to lock users down so they can see only their home directory and its subfolders, stop reading now and reply with the solution.

The details:

Here is exactly what i tried as I followed the FAQ. My copSSH installation directory is: C:\Program Files\CopSSH

net localgroup sftp_users /ADD      **Create a user group to hold all my SFTP users

cacls c:\ /c /e /t /d sftp_users    **For that group, deny access at the top level and all levels below

cacls "C:\Program Files\CopSSH" /c /e /t /r sftp_users    **Allow my user group access to the copSSH installation directory and its subdirectories

For each sftp user, I create a new windows user account, then I:

net localgroup sftp_users sftp_user_1 /add    **Add my user to the group I've created

Open the activate user wizard for CopSSH, choosing the user, "/bin/sftponly" and

  • Remove copssh home directory if it exists **Remains checked
  • Create keys for public key authentication **Remains checked
  • Create link to user's real home directory **Remains checked

This works, however, every user has access to every other user's home directory as well as the CopSSH root directory....

So I tried denying access for all users to the user home directory:

cacls "C:\Program Files\CopSSH\home" /c /e /t /d sftp_users **Deny access for users to the user home directory

Then I tried adding permissions on a user-by-user basis for each users home\username folder. However,these permission were not allowed by windows because of the above deny rule i created at the home directory was being inherited and over-riding my allow rule.

The next step for me would be to remove the deny rule at the home directory and for each user folder, add a deny rule for every user it doesn't belong to, and add an allow rule for the one user it does belong to.

However, as my user list gets long, this will become very cumbersome.

Thanks for the help!


Solution 1:

  1. create group 'SSH Users' in computer management
  2. Add group to gpedit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Allow log on locally (see Can't login to Cygwin sshd server with a non-administrator user account)
  3. run gpupdate
  4. Add ftpuser to group SSH Users
  5. Append details in /etc/sshd_config:

    Subsystem sftp internal-sftp
    
    Match User ftpuser
        ChrootDirectory /home/ftpuser
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
    

    (the keywords on the lines following the Match directive apply only to the user ftpuserand override those set in the global section of the config file, until either another Match line or the end of the file.)

  6. Activate ftpuser user through copSSH wizard
  7. Delete all .ssh .bashprofile files/folders under ftpuser folder
  8. Set SvcCOPSSH user to root id 0

    SvcCOPSSH:unused_by_nt/2000/xp:**0**:545:U...
    

    (see http://www.itefix.no/i2/node/11956)

  9. Might need to do the following as well in copSSH 'UNIX BASH Shell'

    cd /
    chown SvcCOPSSH /
    chmod 0755 /
    
  10. restart openssh service