SSH server - Restrict/Limit user access to a certain folder and subfolders
SSH server - Restrict/Limit user access to a certain folder and subfolders
Hello,
I'm using SecureBridge with C++ Builder - BDS 2006 for the handling of a SFTP server. Howerver, I would like to restrict the accessibility of users to a specific folder and subfolders when using the SSH protocol, as for the SFTP protocol. Is it possible? Currently I see that is possible to navigate within the entire disk content when using the SSH protocol
I'm using SecureBridge with C++ Builder - BDS 2006 for the handling of a SFTP server. Howerver, I would like to restrict the accessibility of users to a specific folder and subfolders when using the SSH protocol, as for the SFTP protocol. Is it possible? Currently I see that is possible to navigate within the entire disk content when using the SSH protocol
-
- Devart Team
- Posts: 70
- Joined: Wed 02 Jun 2021 09:30
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Gian!
Thank you for your question!
Please try to process TScSFTPServer.OnOpenFile as mentioned in this topic:
viewtopic.php?p=95211#p95211
Let us know if you have other questions!
Regards,
Vitaliy
Devart team
Thank you for your question!
Please try to process TScSFTPServer.OnOpenFile as mentioned in this topic:
viewtopic.php?p=95211#p95211
Let us know if you have other questions!
Regards,
Vitaliy
Devart team
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Vitaly,
Thanks for your kind reply. I am mainly interested in limiting browsing while using the SSH protocol, not SFTP, for which I am not addressing this issue.
I noticed that I can browse the entire computer when the SFTP server is running, with the PuTTY utility, which uses the SSH protocol. and of course this is quite dangerous.
Thanks for your kind reply. I am mainly interested in limiting browsing while using the SSH protocol, not SFTP, for which I am not addressing this issue.
I noticed that I can browse the entire computer when the SFTP server is running, with the PuTTY utility, which uses the SSH protocol. and of course this is quite dangerous.
-
- Devart Team
- Posts: 70
- Joined: Wed 02 Jun 2021 09:30
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Gian,
The SSH protocol is intended only for secure data transfer between the client and the server, and is not responsible for the environment of the SSH server itself.
Thus, the SSH server accepts data from the client and transmits it further. In the described case, the data is transferred to the SFTP server, which should be responsible for the security of working with the file system.
Therefore, it is not possible to configure restrictions for working with the file system in the SSH server itself.
Regards,
Vilatiy
The SSH protocol is intended only for secure data transfer between the client and the server, and is not responsible for the environment of the SSH server itself.
Thus, the SSH server accepts data from the client and transmits it further. In the described case, the data is transferred to the SFTP server, which should be responsible for the security of working with the file system.
Therefore, it is not possible to configure restrictions for working with the file system in the SSH server itself.
Regards,
Vilatiy
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Vitaly,
It has absolutely much sense that the SFTP server must take care of the security, but then I don't understand how I can manage this matter catching the necessary events. I assigned some callbacks to the SFTP server that are fired when a SFTP client is used, but are not fired when a SSH client is browsing the folders or deletes a file. Here's a portion of my code, I had to use a helper object because there conflicts with the SB include files in other cpp units. The OpenDirectory and the RemoveFile events are not fired when using a SSH client.
try
{
pScSFTPServer->DefaultRootPath = sRootPath;
pScSFTPServer->OnOpenDirectory = pSFTP_ServerHelper->OnFTPServerOpenDirectoryEvent;
pScSFTPServer->OnReadDirectory = pSFTP_ServerHelper->OnFTPServerReadDirectoryEvent;
pScSFTPServer->OnRemoveFile = pSFTP_ServerHelper->OnFTPServerRemoveFileEvent;
pScFileStorage->Path = sCertificatePath;
pScSSHServer->Port = iPortNr;
pScSSHServer->KeyNameRSA = "SCSKey";
pScSSHServer->HostKeyAlgorithms = Scutils::TScAsymmetricAlgorithms() << aaRSA;
pScSSHServer->Storage = pScFileStorage;
pScSSHServer->SFTPServer = pScSFTPServer;
pScSSHServer->Active = true;
return(true);
}
catch (Exception &Ex)
{
sErrorMessage = Ex.Message;
return(false);
}
It has absolutely much sense that the SFTP server must take care of the security, but then I don't understand how I can manage this matter catching the necessary events. I assigned some callbacks to the SFTP server that are fired when a SFTP client is used, but are not fired when a SSH client is browsing the folders or deletes a file. Here's a portion of my code, I had to use a helper object because there conflicts with the SB include files in other cpp units. The OpenDirectory and the RemoveFile events are not fired when using a SSH client.
try
{
pScSFTPServer->DefaultRootPath = sRootPath;
pScSFTPServer->OnOpenDirectory = pSFTP_ServerHelper->OnFTPServerOpenDirectoryEvent;
pScSFTPServer->OnReadDirectory = pSFTP_ServerHelper->OnFTPServerReadDirectoryEvent;
pScSFTPServer->OnRemoveFile = pSFTP_ServerHelper->OnFTPServerRemoveFileEvent;
pScFileStorage->Path = sCertificatePath;
pScSSHServer->Port = iPortNr;
pScSSHServer->KeyNameRSA = "SCSKey";
pScSSHServer->HostKeyAlgorithms = Scutils::TScAsymmetricAlgorithms() << aaRSA;
pScSSHServer->Storage = pScFileStorage;
pScSSHServer->SFTPServer = pScSFTPServer;
pScSSHServer->Active = true;
return(true);
}
catch (Exception &Ex)
{
sErrorMessage = Ex.Message;
return(false);
}
-
- Devart Team
- Posts: 70
- Joined: Wed 02 Jun 2021 09:30
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Gian,
Unfortunately, we were unable to reproduce the issue where the OnOpenDirectory and OnRemoveFile events are not firing.
Can you please clarify, what do you mean by an SSH client that works with the filesystem?
Is this an SFTP client? If so, which client are you using?
Regards,
Vitaliy
Unfortunately, we were unable to reproduce the issue where the OnOpenDirectory and OnRemoveFile events are not firing.
Can you please clarify, what do you mean by an SSH client that works with the filesystem?
Is this an SFTP client? If so, which client are you using?
Regards,
Vitaliy
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hello Vitaly,
When I start my SFTP server, running with the code above, I open a SSH connection using the utility PuTTY, which can be downloaded from the web site:
https://www.chiark.greenend.org.uk/~sgtatham/putty/
With the following settings:
Host name: 127.0.0.1
Port: 22
Connection type: SSH
Then enter the SFTP user credentials:
login as: MyUsername
[email protected]'s password: MyPassword
Then PutTTY opens a "Command Prompt" like window, with which is possible to navigate within the entire disk and use the commands: CD, DIR, DEL and so on, without any limitation of access
In practice: if I access with an SFTP client, I can effectively navigate only within the "root folder" and below and the mentioned events are fired, but accessing with an SSH client, I can do everything and the events are not fired.
Thank you
When I start my SFTP server, running with the code above, I open a SSH connection using the utility PuTTY, which can be downloaded from the web site:
https://www.chiark.greenend.org.uk/~sgtatham/putty/
With the following settings:
Host name: 127.0.0.1
Port: 22
Connection type: SSH
Then enter the SFTP user credentials:
login as: MyUsername
[email protected]'s password: MyPassword
Then PutTTY opens a "Command Prompt" like window, with which is possible to navigate within the entire disk and use the commands: CD, DIR, DEL and so on, without any limitation of access
In practice: if I access with an SFTP client, I can effectively navigate only within the "root folder" and below and the mentioned events are fired, but accessing with an SSH client, I can do everything and the events are not fired.
Thank you
-
- Devart Team
- Posts: 70
- Joined: Wed 02 Jun 2021 09:30
Re: SSH server - Restrict/Limit user access to a certain folder and subfolders
Hi Gian,
In this case, you are not using the SFTP protocol, but the OS shell.
The server simply launches the system command line interpreter, which is launched on behalf of the SSH user, which corresponds to the specifics of the SSH protocol. We cannot affect the system shell settings. You can deny or allow access to this option for each user.
Please let me know if you can configure shell permissions on some third party SSH server?
Regards,
Vitaliy
In this case, you are not using the SFTP protocol, but the OS shell.
The server simply launches the system command line interpreter, which is launched on behalf of the SSH user, which corresponds to the specifics of the SSH protocol. We cannot affect the system shell settings. You can deny or allow access to this option for each user.
Please let me know if you can configure shell permissions on some third party SSH server?
Regards,
Vitaliy