SSH server - Restrict/Limit user access to a certain folder and subfolders

Discussion of open issues, suggestions and bugs regarding network security and data protection solution - SecureBridge
Post Reply
Gian
Posts: 4
Joined: Sun 24 Apr 2016 03:25

SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by Gian » Fri 30 Jul 2021 04:08

Hello,

I'm using SecureBridge with C++ Builder - BDS 2006 for the handling of a SFTP server. Howerver, I would like to restrict the accessibility of users to a specific folder and subfolders when using the SSH protocol, as for the SFTP protocol. Is it possible? Currently I see that is possible to navigate within the entire disk content when using the SSH protocol

YanishevskiyVI
Devart Team
Posts: 70
Joined: Wed 02 Jun 2021 09:30

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by YanishevskiyVI » Wed 04 Aug 2021 13:18

Hi Gian!

Thank you for your question!

Please try to process TScSFTPServer.OnOpenFile as mentioned in this topic:
viewtopic.php?p=95211#p95211

Let us know if you have other questions!

Regards,
Vitaliy
Devart team

Gian
Posts: 4
Joined: Sun 24 Apr 2016 03:25

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by Gian » Sat 07 Aug 2021 07:55

Hi Vitaly,

Thanks for your kind reply. I am mainly interested in limiting browsing while using the SSH protocol, not SFTP, for which I am not addressing this issue.

I noticed that I can browse the entire computer when the SFTP server is running, with the PuTTY utility, which uses the SSH protocol. and of course this is quite dangerous.

YanishevskiyVI
Devart Team
Posts: 70
Joined: Wed 02 Jun 2021 09:30

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by YanishevskiyVI » Mon 09 Aug 2021 12:02

Hi Gian,

The SSH protocol is intended only for secure data transfer between the client and the server, and is not responsible for the environment of the SSH server itself.

Thus, the SSH server accepts data from the client and transmits it further. In the described case, the data is transferred to the SFTP server, which should be responsible for the security of working with the file system.

Therefore, it is not possible to configure restrictions for working with the file system in the SSH server itself.

Regards,
Vilatiy

Gian
Posts: 4
Joined: Sun 24 Apr 2016 03:25

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by Gian » Tue 10 Aug 2021 05:46

Hi Vitaly,

It has absolutely much sense that the SFTP server must take care of the security, but then I don't understand how I can manage this matter catching the necessary events. I assigned some callbacks to the SFTP server that are fired when a SFTP client is used, but are not fired when a SSH client is browsing the folders or deletes a file. Here's a portion of my code, I had to use a helper object because there conflicts with the SB include files in other cpp units. The OpenDirectory and the RemoveFile events are not fired when using a SSH client.

try
{
pScSFTPServer->DefaultRootPath = sRootPath;
pScSFTPServer->OnOpenDirectory = pSFTP_ServerHelper->OnFTPServerOpenDirectoryEvent;
pScSFTPServer->OnReadDirectory = pSFTP_ServerHelper->OnFTPServerReadDirectoryEvent;
pScSFTPServer->OnRemoveFile = pSFTP_ServerHelper->OnFTPServerRemoveFileEvent;

pScFileStorage->Path = sCertificatePath;

pScSSHServer->Port = iPortNr;
pScSSHServer->KeyNameRSA = "SCSKey";
pScSSHServer->HostKeyAlgorithms = Scutils::TScAsymmetricAlgorithms() << aaRSA;
pScSSHServer->Storage = pScFileStorage;
pScSSHServer->SFTPServer = pScSFTPServer;
pScSSHServer->Active = true;

return(true);
}
catch (Exception &Ex)
{
sErrorMessage = Ex.Message;

return(false);
}

YanishevskiyVI
Devart Team
Posts: 70
Joined: Wed 02 Jun 2021 09:30

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by YanishevskiyVI » Fri 13 Aug 2021 10:14

Hi Gian,

Unfortunately, we were unable to reproduce the issue where the OnOpenDirectory and OnRemoveFile events are not firing.

Can you please clarify, what do you mean by an SSH client that works with the filesystem?
Is this an SFTP client? If so, which client are you using?

Regards,
Vitaliy

Gian
Posts: 4
Joined: Sun 24 Apr 2016 03:25

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by Gian » Fri 20 Aug 2021 13:19

Hello Vitaly,

When I start my SFTP server, running with the code above, I open a SSH connection using the utility PuTTY, which can be downloaded from the web site:
https://www.chiark.greenend.org.uk/~sgtatham/putty/

With the following settings:
Host name: 127.0.0.1
Port: 22
Connection type: SSH

Then enter the SFTP user credentials:
login as: MyUsername
[email protected]'s password: MyPassword

Then PutTTY opens a "Command Prompt" like window, with which is possible to navigate within the entire disk and use the commands: CD, DIR, DEL and so on, without any limitation of access

In practice: if I access with an SFTP client, I can effectively navigate only within the "root folder" and below and the mentioned events are fired, but accessing with an SSH client, I can do everything and the events are not fired.

Thank you

YanishevskiyVI
Devart Team
Posts: 70
Joined: Wed 02 Jun 2021 09:30

Re: SSH server - Restrict/Limit user access to a certain folder and subfolders

Post by YanishevskiyVI » Wed 25 Aug 2021 11:30

Hi Gian,

In this case, you are not using the SFTP protocol, but the OS shell.
The server simply launches the system command line interpreter, which is launched on behalf of the SSH user, which corresponds to the specifics of the SSH protocol. We cannot affect the system shell settings. You can deny or allow access to this option for each user.

Please let me know if you can configure shell permissions on some third party SSH server?

Regards,
Vitaliy

Post Reply