Wednesday, April 27, 2011

Disabling SFTP in Open-SSH server,SCP fallback mechanism & it's dependency on sftp client under Windows & Linux.

Today, I will throw some light on access restrictions for user. Sometimes we don't want users to perform sftp operations on the ssh-servers.
For that comment out the following line in sshd_config of Open-ssh server

For many Ubuntu/Debian based systems
Subsystem sftp internal-sftp
or any other *nix systems with Open-ssh server
Subsystem sftp /usr/lib/openssh/sftp-server
Restart the ssh server using
/etc/init.d/ssh restart
After this it is necessary to understand that the user which you are using to perform the sftp connection must not have the /bin/sh (shell access parameter) in the passwd file.
If this is present there then the sftp client from the windows such as winSCP or psftp.exe (command line PuTTY sftp utility) will fallback to ssh connection & thereafter will execute the sftp command giving access to the sftp though we have disabled it.
So now I am using psftp.exe as the client to the server running following config in sshd_config.

sshd_config file :
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp
UsePAM yes

Case-Study :
Lets Create user,
useradd -m testuser
Without sftp-server shell parameter:
The Subsystem call in the Open-ssh server is commented, but the passwd entry for the user is following with shell access.

Fall-back Mechanism SFTP --> SCP :
In Linux, using the sftp command, there will be no sftp access as the sftp in linux uses sftp only mode strictly i.e. no fallback to scp. Hence after commenting the line from the OpenSSH config the Linux client will not connect to Linux server on sftp protocol, Provided the Utility used is sftp in Linux any other external utility can again use SCP as fallback mechanism for it.
From the snapshot of Linux to Linux sftp it is very clear that sftp strigently follows the sftp protocol hence the connection fails.
In Second snapshot, the psftp.exe windows client falls back to scp as "Primary command Failed" & gives access to File transfer present.
From Linux,
sftp testuser@
From Windows, using psftp.exe
psftp.exe -v testuser@
or using pscp.exe utility
pscp.exe -v -sftp temp.file testuser@
where temp.file is the generated file for transfer.
In pscp.exe it is specifically pointed to use sftp protocol.
Now enable the Subsystem option in the sshd_config,remove the comment & restart the ssh server
Now we can clearly see that after enabling it, the primary command doesnt fail & there is no need of fallback.
So this indicates that the client type matters for the connection restriction.

With sftp-server shell parameter:
To restrict the shell access for particular user, only to sftp capability we can do this
change the entry in the passwd to
and add sftp-server to shells
echo '/usr/lib/sftp-server' >> /etc/shells
Now testuser cannot have shell access to the system, but can do sftp if the Subsystem sftp is present in the sshd_config. If that is commented, then from linux it is not possible as fallback (which is SCP) is not supported.
Windows applications can still do file transfers using command invoking in sftp mode in psftp.exe & pscp.exe (see conclusion 4).

a. From Windows to Linux Server with Primary sftp fail

b. From Linux to Linux server giving "connection reset"

Conclusions :
1) SFTP-SCP fallback mechanism can vary from client to client.
2) If Subsystem sftp is commented out, the client psftp.exe will fall-back to SCP mechanism if the /bin/sh is present for that user.
3) If sftp-server shell is only provided,Subsystem sftp is not commented, then user will not have ssh access or scp only access. The SCP only protocol doesnt work from pscp.exe as well as from scp in Linux.
following will not work
pscp.exe -v -scp temp.file testuser@
scp temp.file testuser@
This will work as follows
pscp.exe -v temp.file testuser@
psftp -v testuser@
sftp testuser@
4) If sftp-server shell is only provided,Subsystem sftp is commented,
this will work
psftp.exe -v testuser@
pscp.exe -v -sftp temp.file testuser@
this will not work
pscp.exe -v -scp temp.file testuser@
sftp -v testuser@
5) After setting sftp-server shell parameter,ssh connection or scp connection will not work on this user.

Please guys let me know about this through comments.

No comments:

Post a Comment