Skip to main content

Setting up a BETTER SFTP Server on Windows

I added a blog post a while back about setting up an SFTP server on Windows.

It turns out that it IS easy to setup an SFTP server, but to setup a GOOD (read: "secure") takes a bit more work.  The solution I am going to describe, I call "Better" (not "Good"), because it solves some problems, but not all of them.<more/>The problem with sshwindows (the dist I used before), is that there is no real way to setup a chroot environment or chroot jail for users, or at least none that I was able to make work.  If you have this setup, then without your intervention, any user can gain access to any part of the system by changing to the "/cygdrive/c/Windows" (or other) directory.  It promotes snooping, and can cause lots of trouble.  The other problem with sshwindows is that by default, it allows anybody to connect via ssh or sftp, permitting users to have shell access to your windows server.  You may want this, but generally this is not desired.

This blog entry is to help setup a little more secure of an SFTP configuration (note the "little more").  Not ideal, but much better.

I have since found a different distribution of Open SSH for windows called "copSSH."  The site is here: <a href="http://www.itefix.no/i2/copssh">http://www.itefix.no/i2/copssh</a> and I will admit, I found their site a little less than organized and helpful.

Installation is a snap with their windows installer (I used version 2.1.0).  The reason I opted to setup this new distribution is not really because of new features, but because it is a lot easier to add new users with this version.  In sshwindows, you needed to use a command line tool to add users.  With copSSH, there is a pretty window and drop-down list and you just pick the user to add. (users have to have a windows account first).  When you add a user, it asks you which shell to let the user access, and one of the choices is "sftponly" which restricts the user to only using SFTP.  That solves one of our security problems!

The other problem is locking the user down to only have access to specified folders.  Just like sshwindows, copSSH allows you to get to the system drive root by going to the folder "/cygdrive/c/" which then allows you to browse the C drive.  This is bad, so what we can do is restrict access to only certain users.

This is a bit of an annoying process, but here it goes:

<ol>
   <li>Create a windows group, lets say "SFTP_Users"
   <li>Create the windows user account for your user, say "myuser" and add them to the "SFTP_Users" group
   <li>Set permissions on your entire system (all drives) to DENY all access for anybody in "SFTP_Users" group
   <li>Go back and enable appropriate permissions to the CopSSH installation folder (i.e. "c:\program files\ICW") and any other specific folders you want the user to have access to.  Only enable it for the specific folders you want to open up.
   <li>Go to any folders that "myuser" should be able to read/write to, and give the appropriate permissions. (will probably be the same directory(ies) you opened up in the previous step)
   <li>Use the CopSSH tool (Start menu, Program Files, copssh) "Activate a user" and activate "myuser"
</ol>

(There is a page on the copSSH site that explains how to apply the permissions described above here: <a href="http://www.itefix.no/i2/node/37">http://www.itefix.no/i2/node/37</a>

Now when the user logs in, they will be dropped into their personal home directory (i.e. "/home/username"), and they have access to any folders you opened up or gave them access to by manually changing to the correct directory (i.e. "/cygdrive/C/path/to/folder" -- where C represents the C: drive, and you can substitute for other drives like D, E, F, etc.)

When the user first logs in, if you want to drop them in a default directory, then you can manually edit the etc/passwd file.  The next to last item (separated by ":") is the home directory.  If you forget to give the right permissions, or open up for the "SFTP_Users" group, then this user won't be able to log in at all.

Once you have this all done, your user should be able to SFTP into the system, get dropped into the correct folder, but if they wander anywhere else on the system, they should get "access denied" errors.  The user can still see the top level folders of each drive, but should not be able to see the contents of anything, thus making it much MORE secure than sshwindows.  Not ideal, but much improved.

Cheers

Popular posts from this blog

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Dell XPS M1330 + Snow Leopard Hackintosh

I have been working with a Dell XPS M1330 laptop for a few years now.  It doesn't quite match up to the newest notebooks in terms of performance, but it certainly still has some life in it.  I had previously installed OSX 10.5.x on it as an experiment, and had moderate success.  I decided to revisit this idea again to install Snow Leopard (OSX 10.6) on the Dell M1330, and keep some notes for those of you brave enough to Hackintosh your own machine...