Restrict SFTP client to one remote folder

[gandalf]

Hi,

Could you please advice how to restrict a SFTP client so it can only upload to a specific folder?

I assume this must be done at server side but how should this be setup?

Regards.

[Dimon]

Using one specific folder for uploading on client-side depends on client application implementation. For this, call the TScSFTPClient.Open method and pass only this folder.
Setup of server-side depends on a particular SFTP server, and SecureBridge can't influence it.

[gandalf]

Hi,

Wouldn't it be possible to block opening other folders on the server side (using SCFTPServer)?

Regards.

[Dimon]

To solve the issue, you can handle the TScSFTPServer.OnOpenFile event and return a proper exception on attempt to open other folders.

[gandalf]

Thank you for the suggestion. Will test this.

[Dimon]

If you have any other questions, feel free to contact us.

[gandalf]

Hi,

I have still a few questions.

1. How can a proper exception be returned?
Which value should be returned (assuming using variable Error: TScSFTPError)?

2. Files are uploaded to the SFTP server via UploadFile(LocalFileName, RemoteFileName, True). The RemoteFileName is only the filename so no path is specified and the uploaded file is stored in the SFTP server folder.

Is it possible to put uploaded file in a different folder (not the SFTP Server folder) while RemoteFileName only contains a filename?

3. How can a message (string) send to the client? Must this be done via SendToClient?
Are there examples how to do this?

[Dimon]

1. If you use your own event handler, you should set the Error.ErrorCode and Error.ErrorMessage properties to proper values. These values will be sent to SFTP client. Set Error.ErrorCode to the erOk value on correct event execution. For example:

Code: Select all

procedure TSFTPClientFrame.ScSFTPServerOpenFile(Sender: TObject;
  SFTPSessionInfo: TScSFTPSessionInfo; const FileName: string;
  const OpenAttributes: TScSFTPFileOpenAttributes; var Data: TObject;
  var Error: TScSFTPError);
begin
  ScSFTPServer.DefaultOpenFile(SFTPSessionInfo, FileName, OpenAttributes, Data, Error);
  ...
  Error.ErrorCode := erOk;
end;

If you don't use a specific event handler, TScSFTPServer processes the event and returns result to the client. In this case, you can't influence this result.

2. The Destination parameter of the TScSFTPClient.UploadFile method holds the destination path (not only file name) to copy the file to. If this path starts with "DRIVE_NAME:\" or a "\" symbol, then SFTP server considers this path as absolute; in any other case, SFTP server considers the path as relative to TScSFTPSessionInfo.HomePath.

3. You can set the message about event execution to the Error.ErrorMessage property in the event handler (see p.1).

[gandalf]

Hi,

Thank you for the information.

About question 3.

Would it be possible to receive a message after connecting to the SFTP server but before uploading a file? How can the message be send from server to client?

[Dimon]

Unfortunately, SFTP protocol does not support message transfer directly.

[gandalf]

But the SSH Server could do that I imagine (SFTP server is part of SSH server)?

[Dimon]

You can use two workarounds for this issue.

1. An approach with modifying the SecureBridge source code: you can modify SFTP protocol for your needs. For this, add message processing in the TScSFTPClient.ProcessResult method.

2. An approach without modifying the SecureBridge source code: create a separate client channel only for message exchanging with SSH server. For this, set the TScSSHCnannel.Direct property to True and use the TScSSHCnannel.ReadBuffer and TScSSHCnannel.WriteBuffer methods for receiving and sending data packets on the client.
To handle data on the server, set Direct to True in the TScSSHServer.BeforeChannelConnect event handler. For receiving and sending data, use the TScSSHServer.OnDataFromClient and TScSSHServer.OnDataToClient events.

[gandalf]

Thank you for the suggestions.

[Dimon]

If any other questions come up, please contact me.