CopSSH: restricting users’ access
If you tried to setup SSH server as it was described recently in this blog you might be interested on how to restrict users’ permissions.
SSH server itself does not cater for access rights. Therefore, it has to be done using Windows file permissions settings.
If you use FAT file system you cant set permissions on it. Meanwhile NTFS allows setting detailed permissions for specific users and groups.
Anyway, I ve found a tip published in CopSSH FAQ to be very useful and simple implementation very restricted user environment.
Let me quote it here (taken from the official FAQ item):
| Q: | How can I limit users’ access to their home directories only ? |
| A: | I recommend to use NTFS permissions for that purpose.
1. Make a local group.
2. Deny access to this group at top level.
3. Add Copssh user to the group above.
4. COPSSH user activation can then be used to allow access at home directory level. Repeat steps 3 and 4 for each user.
|
cacls c:\ /c /e /t /d CopsshUsers will change permissions on C:\ drive. If you want to restrict other drives/partitions you need to run the command again with reference to other drives, e.g. cacls d:\ /c /e /t /d CopsshUsers
I have found this FAQ item incomplete because if you run cacls utility as it is described on a drive which stores CopSSH install you wont be able to login. The reason is that you need to allow user to have access to CopSSH install directory.
Here are the steps how to do this:
1. Start Windows Explorer
2. Navigate to CopSSH folder (e.g. C:\Program Files\CopSSH\)
3. Right click on empty space or select all item in the folder and invoke properties page.
4. Go to Security Tab.
5. Click on CopsshUsers group and change permissions. You can remove all deny permissions and assign read & execute, List folder contents, read permissions. you might need to reset permissions on all child objects in Advanced permissions tab.
6. By the way do not forget to change permissions on the home folder for the user as well because otherwise the user wont be able to do anything.
Technorati : CopSSH, OpenSSH, SSH, windows
Del.icio.us : CopSSH, OpenSSH, SSH, windows
Ice Rocket : CopSSH, OpenSSH, SSH, windows
meszi Says:
December 2nd, 2008 at 9:28 am
i run copssh on a windows sbs 2003 machine.
as far as i experienced copssh only accepts users to be enabled who have local administrator privileges on the copssh machine. i changed the user’s permissions according to your suggestions … to improve security a bit as i only want to use the account for ssh tunnels.
following your instructions my copssh user really cannot “cd c:\\windows” but he still keeps permissions on all executables in “c:\program files\copssh\bin\”.
this means that he can still read all folders’ or files’ content using “ls”, “cat” or “less”:
ls c:\\windows\\system32
or
cat c:\\boot.ini
i did not yet check the other tools within “bin” but i am concerned as this means that he could for instance also read some private key file:
cat ~otheruser/private.key
or
cat “c:\\documents and settings\\otheruser\\.ssh\\privateputtykeyfile.ppk”
all this seems to be caused by the obviously necessary local administrative privileges. (please let me know if you know a way to provide a ssh login without granting these permissions.)
possible solution: one could remove the “problematic” tools in “bin”. as i just want to use copssh as tunneling technique this might be a possibility but it appears a bit strange.
any suggestions?
Windows Networking Admin Says:
December 3rd, 2008 at 10:06 am
well, you could remove the problematic binary files or possibly run copSSH under a different username which would not have access to any system files.