Lock down CYGWIN SSH User to single directory.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Lock down CYGWIN SSH User to single directory.

JMCColorado
Is there any way to only allow a user SSH access to a single directory tree?
I need to lock the user out of EVERYTHING else.

Thanks in advance for any replies!

- JMC


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Lock down CYGWIN SSH User to single directory.

Corinna Vinschen-2
On Nov 17 17:18, JMCColorado wrote:
> Is there any way to only allow a user SSH access to a single directory tree?
> I need to lock the user out of EVERYTHING else.

The file and directory permissions are the key.  Cygwin can only lock
the user as far as the underlying permissions go.  After all, Cygwin
isn't the OS.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Lock down CYGWIN SSH User to single directory.

René Berber-2
In reply to this post by JMCColorado
JMCColorado wrote:

> Is there any way to only allow a user SSH access to a single directory tree?
> I need to lock the user out of EVERYTHING else.

You need something like this:

  http://olivier.sessink.nl/jailkit/index.html#intro

It hasn't been tested under the Cygwin environment and it's not trivial to install.

Another option is to use a patched sshd that suports 'ChrootGroups' or
'ChrootUsers', there is:

  http://chrootssh.sourceforge.net/

Since chroot is part of the Cygwin's coreutils package, it may work.

I haven't used any of these, nor do I need it (so far), but it would be
interesting to hear if anyone had any success with this.

HTH
--
René Berber


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Lock down CYGWIN SSH User to single directory.

JMCColorado
Ren� Berber <r.berber <at> computer.org> writes:

>
> JMCColorado wrote:
>
> > Is there any way to only allow a user SSH access to a single directory tree?
> > I need to lock the user out of EVERYTHING else.
>
> You need something like this:
>
>   http://olivier.sessink.nl/jailkit/index.html#intro
>
> It hasn't been tested under the Cygwin environment and it's not trivial to
install.

>
> Another option is to use a patched sshd that suports 'ChrootGroups' or
> 'ChrootUsers', there is:
>
>   http://chrootssh.sourceforge.net/
>
> Since chroot is part of the Cygwin's coreutils package, it may work.
>
> I haven't used any of these, nor do I need it (so far), but it would be
> interesting to hear if anyone had any success with this.
>
> HTH


I have heard that CHRoot might work, but I have also heard that it still allows
someone to SCP outside of where they can SSH to.

I need to ensure that the user can't get anywhere but the one directory I want
them to have access to. Unfortunately, with Windows giving "Everyone" access to
just about everything, this seems very difficult to do.

Any more ideas?

Thanks for everyones input!

- Josh


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Reply | Threaded
Open this post in threaded view
|

Re: Lock down CYGWIN SSH User to single directory.

Corinna Vinschen-2
On Nov 17 20:08, JMCColorado wrote:
> Ren? Berber <r.berber <at> computer.org> writes:
> >   http://chrootssh.sourceforge.net/
>
> I have heard that CHRoot might work, but I have also heard that it
> still allows someone to SCP outside of where they can SSH to.

The chroot system call only works inside Cygwin.  As soon as Windows
native tools are involved, you've lost since a chroot concept just
doesn't exist on Windows.

> I need to ensure that the user can't get anywhere but the one
> directory I want them to have access to. Unfortunately, with Windows
> giving "Everyone" access to just about everything, this seems very
> difficult to do.
>
> Any more ideas?

As I said, as the administrator you're resonsible to set the permissions
correctly.  It's not as simple as "everyone has access".  There are
knowledge base articles and white papers from Microsoft about
controlling user access.


Corinna

--
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/