This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Finally managed to create a jailed SFTP server, but how secure?


Hi,

I finally managed to create a chroot'ed (jailed) SFTP environment under Cygwin. Here are my steps which may be useful for others:

- All directories from root to the chroot directory must be owned by UID 0 and GID 0. For example, if you want to jail users in /jail then / and /jail must belong to (0, 0). In my setup, I set Administrator user to be (0, 0) in /etc/passwd.

- The home directory for user as declared in /etc/passwd must be created under this chroot directory too, for example, /jail/home/user must exist too and belong to user.

- Use internal-sftp for Subsystem sftp

So my minimum directory structure is as follow:

    /jail
    /jail/home
    /jail/home/user
    /home/user

If you want to enable public key authentication, then the following must exist too:

    /home/user/.ssh
    /home/user/.ssh/authorized_keys

My /etc/sshd_config contains:

    ChrootDirectory   /jail
    Subsystem   sftp  internal-sftp

After configuring the user's public key in /home/user/.ssh/authorized_keys, he can log on using SFTP with his private key and  could see only the following limited directory structure:

    /
    /home
    /home/user
    /cygdrive

Yes, /cygdrive is there too and stragely but fortunately, it is empty. I didn't copy /bin/bash to the jailed directory. So interactive session using SSH will fail (which is what I want).

As far as I am concerned, user's view is restricted enough to what I allow them to see and do. If I revoke user's rights to write to any directory except /jail/home/user, then he should only be able to upload files to his jailed home directory.

My question is, how secure is Cygwin as SFTP server set up this way? Is there any security hole I don't know yet?




      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]