KpyM Telnet/SSH Server - Forum
Chroot Jail for SFTP
Dave Chroot Jail for SFTP
 
Any way of implementing this via the .ini or allusers.bat. Basically I want users to be "locked in" to their login directory & not to be able to wander around the HDD.

Thanks

Dave Wynne


Kroum Grigorov
 
You can "Chroot Jail" the users by setting the appropriate NTFS permissions on your HDD.
The KpyM SFTP will take in account the NTFS permissions for the currently logged in user.

Kroum


Guest
 
Thanks Kroum.

I'm from a linux background & I've had a quick look at the Security Tab of the Properties of a folder, but can't see anything there that would "chroot Jail" a user.

Can you help.

Thanks


Kroum Grigorov
 
I'm not an permissions expert so there might be a more flexible solution, but what I can suggest is to have a NO_ACCESS group that is explicitly denied access to all HDD folders but the desired "jail" folders. Then you can put your SFTP users in this NO_ACCESS group and the system will take care to force them to "stay" in their "jail" folders only.

[img:69791070a6]l0c41://www.kpym.com/blog/images/noa.PNG[/img:69791070a6]

Kroum


Dave KTS & Drewamweaver MX 2004
 
Kroum.

I've just hit another snag with Dreamweaver. Although the SFTP service works fine with FileZilla & sftp from a linux command prompt, it won't work with Dreamweaver.I remember having to put an entry in the sshd_config file on linux, as directed by the Dreamwaever support pages:

# Needed for Dreamwaevae MX 2004
PasswordAuthentication yes
# End

How can I make the same changes with your .ini file ?

Other than that I can't think of a single reason why Dreamweaver won't work.

Incidentally if I wanted to modify your C++ source code to implement a "chroot jail" where should I start looking to do this ?

Thanks again

Dave


Kroum Grigorov
 
If I get it right the PasswordAuthentication option just forces sshd to allways use "password authentication", KTS will allways and only use password authentication so I don't think this is the issue.

I gess that Dreamweaver is using some bizarre sftp mode that is not implemented in KTS(KTS is really far from implementing all of the SSH/SFTP protocol, it has just the minimum that is good enough for most of the people).

I will have a look at this issue these days but I don't think there will be solution soon.

> Incidentally if I wanted to modify your C++ source code to implement a "chroot jail" where should I start looking to do this ?

You can have a look at the KSftp.hxx file
The functions that are of interest are:
ls_safe
md_safe
rd_safe
cd_safe
del_safe
ren_safe
write_safe
read_safe
one for each of the file operations(ls/md/cd/...)

Kroum


Davc Chroot Jail for SFTP
 
Kroum,
thanks again. I hope you had a nice break wherever you went. I missed out a rather important comment which makes the Dreamweaver issue more clear:

# To disable tunneled clear text passwords, change to no here!

# D.Wynne 26/10/06
# Needed for Dreamwaevae MX 2004
PasswordAuthentication yes
# End

So tunneled clear text passwords needs to be enabled. It's mentioned on an Adobe TechNote:

l0c41://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19491

Dave


 

© 2007 - 2008 Kroum Grigorov
Powered by phpBB © 2001, 2005 phpBB Group