Enabling/Disabling shell access for individual users

Discussion of open issues, suggestions and bugs regarding network security and data protection solution - SecureBridge
Post Reply
scarre
Posts: 4
Joined: Wed 09 Jan 2013 15:27

Enabling/Disabling shell access for individual users

Post by scarre » Fri 09 Mar 2018 15:56

I'm using SecureBridge v8.1.3 to implement ssh and SFTP server. How can I define which users can have shell access (CMD) or not ?

When I create a user, I can define this user HomePath, so that he/she cannot navigate outside of that HomePath with SFTP. However, that user also automatically has the same shell access (CMD) than every other user, linked to the account that runs the server executable or service, and potentially with access rights that do not match the SFTP access.

How can I give shell access to certain users and prevent shell access for others ? In Linux, you can force a specific user to nologin, however this concept seems to be missing from SecureBridge.

Looking forward to your comments.

cboling
Posts: 24
Joined: Fri 12 Apr 2013 01:00

Re: Enabling/Disabling shell access for individual users

Post by cboling » Sat 10 Mar 2018 00:07

Here's half of a possible answer:

In the BeforeShellConnect event:

Code: Select all

if clientinfo.User = 'a_bad_user' then
   disconnect_them_somehow

scarre
Posts: 4
Joined: Wed 09 Jan 2013 15:27

Re: Enabling/Disabling shell access for individual users

Post by scarre » Mon 12 Mar 2018 11:01

Indeed, I was thinking about using this event, and will definitely try.
However, I think it would be nice to simply have a property "AllowCMDShellAccess" (True/False) in TScUser.
In many cases, you want to provide some users with secure tunnelling through standard port 22 for a specific service hosted on the server, without providing shell access to the server at the same time.

ViktorV
Devart Team
Posts: 3168
Joined: Wed 30 Jul 2014 07:16

Re: Enabling/Disabling shell access for individual users

Post by ViktorV » Mon 12 Mar 2018 12:45

Currently, to solve your task, you should use the TScSSHServer.BeforeShellConnect event handler.
If you want us to implement the feature "AllowCMDShellAccess", please post it at our user voice forum: https://devart.uservoice.com/forums/174370-securebridge. If the suggestion gets a lot of votes, we will consider the possibility to implement it.

cboling
Posts: 24
Joined: Fri 12 Apr 2013 01:00

Re: Enabling/Disabling shell access for individual users

Post by cboling » Mon 12 Mar 2018 15:45

Just for completeness, what is a good & correct way to disconnect the user from within this event handler?

ViktorV
Devart Team
Posts: 3168
Joined: Wed 30 Jul 2014 07:16

Re: Enabling/Disabling shell access for individual users

Post by ViktorV » Wed 14 Mar 2018 08:36

Unfortunately, at the moment, SecureBridge does not allow you to implement the specified functionality. We will consider the possibility of adding this functionality in one of the next releases of SecureBridge.

scarre
Posts: 4
Joined: Wed 09 Jan 2013 15:27

Re: Enabling/Disabling shell access for individual users

Post by scarre » Thu 15 Mar 2018 13:02

I think that the current implementation may thus have a serious security flaw...

As a matter of fact, as soon as a user is defined for TScSSHServer, this user automatically has shell access (CMD). So, even if the intent is not to let the user peek around the server machine files, there is no restriction in CMD that would prevent from reading and even copying almost any file on the server...

The fact that TScSFTPServer constrains the user to his HomePath (when using SFTP) can easily be circumvented: login via any ssh client supporting pty (Putty, Linux ssh, etc...), navigate to whatever directory or file you like with CMD (including the HomePath of other users), copy the files to your HomePath, and off you go !

Please correct me if the scenario above is wrong, but I tend to think that a user property "AllowCMDShellAcces" defaulting to False is pretty much a security requirement...

An alternative would be to propose a custom shell (not CMD), which would respect the constraint of the user HomePath.

ViktorV
Devart Team
Posts: 3168
Joined: Wed 30 Jul 2014 07:16

Re: Enabling/Disabling shell access for individual users

Post by ViktorV » Mon 19 Mar 2018 13:13

We will consider adding the feature "AllowCMDShellAccess" in one of the next releases of SecureBridge.

Post Reply