KpyM Telnet/SSH Server - Forum
_Limiting access to a specific volume and folder
Greg _Limiting access to a specific volume and folder
We have set up a specific folder for SFTP file transfers. Following security best practice (never expose your operating system volume to the Internet), a D: drive was added to the Windows Server. A folder called \SFTP was created in the root. In the setup options for the SSH server, the sftp_root was set to D:\SFTP.

When connecting with WinSCP or pscp (makers of PuTTY), the SSH server doesn't "see" anything in the "root" which should actually be the D:\SFTP folder. There are several folders and the user has access to view the folders.

With WinSCP, I can use the "Open Directory/Bookmark" dialog and point it to C:\ or D:\ and it returns a FULL DIRECTORY LISTING of those folders.

With pscp, when I connect to the "root", it displays C$ and D$, but I cannot get it to any files/folders under D:\SFTP.

Very concerned that the SSH server is "offering" folders I never intended or expected to be "viewable" from the "outside" (which happens to be the Internet).

Any suggestions on what I am doing wrong??

Kroum Grigorov
Have a look at these posts on how to restrict your users to a folder


I can't change the permissions of my C: drive (operating system). Why is the SSH server displaying the contents of the C: drive when the sftp_root variable is pointing to D:\SFTP?? Why can I "break out" of the root? Why does it "advertise" the C$ and D$ "shares"... They really aren't even "shares" because the server service isn't even running on my server.

To re-create using pscp (available from PuTTY:

pscp -v -pw XXX -ls id@address:/C$

were XXX is the ID's password
id is an account on the SSH server
address is the ipaddress of the SSH server

If you try this, do you "see" a directory listing of your C: drive?

Filezilla is behaving the same way, displaying the contents of my C: drive...

Kroum Grigorov
Just to clear this out.
KTS does not imply any security restrictions on the running sessions itself.
It just starts the session under the user credentials and leaves the OS itself to take care for user security restrictions, the same OS does for any other process runing under the given account.


(Still trying to figure this one out...) My SFTP account is a member of only 2 local groups: Guests and (one I created called) SFTP_Users. When I log in on the server and run GPRESULTS, it displays that the account is a member of BUILTIN\Guests and BUILTIN\Users. Why it grants user access when the account is not a member of that group makes no sense. Based on this finding...

Most accounts will be granted "User" access, and will be able to see nearly every folder on the SSH server, including "Program Files" and "Windows". Windows has to allow "users" to see much more than I am comfortable exposing on a public facing SSH server. WOW! YIKES!


© 2007 - 2008 Kroum Grigorov
Powered by phpBB © 2001, 2005 phpBB Group