Enabling/Disabling shell access for individual users
Enabling/Disabling shell access for individual users
I'm using SecureBridge v8.1.3 to implement ssh and SFTP server. How can I define which users can have shell access (CMD) or not ?
When I create a user, I can define this user HomePath, so that he/she cannot navigate outside of that HomePath with SFTP. However, that user also automatically has the same shell access (CMD) than every other user, linked to the account that runs the server executable or service, and potentially with access rights that do not match the SFTP access.
How can I give shell access to certain users and prevent shell access for others ? In Linux, you can force a specific user to nologin, however this concept seems to be missing from SecureBridge.
Looking forward to your comments.
When I create a user, I can define this user HomePath, so that he/she cannot navigate outside of that HomePath with SFTP. However, that user also automatically has the same shell access (CMD) than every other user, linked to the account that runs the server executable or service, and potentially with access rights that do not match the SFTP access.
How can I give shell access to certain users and prevent shell access for others ? In Linux, you can force a specific user to nologin, however this concept seems to be missing from SecureBridge.
Looking forward to your comments.
Re: Enabling/Disabling shell access for individual users
Here's half of a possible answer:
In the BeforeShellConnect event:
In the BeforeShellConnect event:
Code: Select all
if clientinfo.User = 'a_bad_user' then
disconnect_them_somehow
Re: Enabling/Disabling shell access for individual users
Indeed, I was thinking about using this event, and will definitely try.
However, I think it would be nice to simply have a property "AllowCMDShellAccess" (True/False) in TScUser.
In many cases, you want to provide some users with secure tunnelling through standard port 22 for a specific service hosted on the server, without providing shell access to the server at the same time.
However, I think it would be nice to simply have a property "AllowCMDShellAccess" (True/False) in TScUser.
In many cases, you want to provide some users with secure tunnelling through standard port 22 for a specific service hosted on the server, without providing shell access to the server at the same time.
Re: Enabling/Disabling shell access for individual users
Currently, to solve your task, you should use the TScSSHServer.BeforeShellConnect event handler.
If you want us to implement the feature "AllowCMDShellAccess", please post it at our user voice forum: https://devart.uservoice.com/forums/174370-securebridge. If the suggestion gets a lot of votes, we will consider the possibility to implement it.
If you want us to implement the feature "AllowCMDShellAccess", please post it at our user voice forum: https://devart.uservoice.com/forums/174370-securebridge. If the suggestion gets a lot of votes, we will consider the possibility to implement it.
Re: Enabling/Disabling shell access for individual users
Just for completeness, what is a good & correct way to disconnect the user from within this event handler?
Re: Enabling/Disabling shell access for individual users
Unfortunately, at the moment, SecureBridge does not allow you to implement the specified functionality. We will consider the possibility of adding this functionality in one of the next releases of SecureBridge.
Re: Enabling/Disabling shell access for individual users
I think that the current implementation may thus have a serious security flaw...
As a matter of fact, as soon as a user is defined for TScSSHServer, this user automatically has shell access (CMD). So, even if the intent is not to let the user peek around the server machine files, there is no restriction in CMD that would prevent from reading and even copying almost any file on the server...
The fact that TScSFTPServer constrains the user to his HomePath (when using SFTP) can easily be circumvented: login via any ssh client supporting pty (Putty, Linux ssh, etc...), navigate to whatever directory or file you like with CMD (including the HomePath of other users), copy the files to your HomePath, and off you go !
Please correct me if the scenario above is wrong, but I tend to think that a user property "AllowCMDShellAcces" defaulting to False is pretty much a security requirement...
An alternative would be to propose a custom shell (not CMD), which would respect the constraint of the user HomePath.
As a matter of fact, as soon as a user is defined for TScSSHServer, this user automatically has shell access (CMD). So, even if the intent is not to let the user peek around the server machine files, there is no restriction in CMD that would prevent from reading and even copying almost any file on the server...
The fact that TScSFTPServer constrains the user to his HomePath (when using SFTP) can easily be circumvented: login via any ssh client supporting pty (Putty, Linux ssh, etc...), navigate to whatever directory or file you like with CMD (including the HomePath of other users), copy the files to your HomePath, and off you go !
Please correct me if the scenario above is wrong, but I tend to think that a user property "AllowCMDShellAcces" defaulting to False is pretty much a security requirement...
An alternative would be to propose a custom shell (not CMD), which would respect the constraint of the user HomePath.
Re: Enabling/Disabling shell access for individual users
We will consider adding the feature "AllowCMDShellAccess" in one of the next releases of SecureBridge.