Finally managed to create a jailed SFTP server, but how secure?

TheO idgajelas@yahoo.com
Mon Dec 1 16:21:00 GMT 2008


Hi,

I finally managed to create a chroot'ed (jailed) SFTP environment under Cygwin. Here are my steps which may be useful for others:

- All directories from root to the chroot directory must be owned by UID 0 and GID 0. For example, if you want to jail users in /jail then / and /jail must belong to (0, 0). In my setup, I set Administrator user to be (0, 0) in /etc/passwd.

- The home directory for user as declared in /etc/passwd must be created under this chroot directory too, for example, /jail/home/user must exist too and belong to user.

- Use internal-sftp for Subsystem sftp

So my minimum directory structure is as follow:

    /jail
    /jail/home
    /jail/home/user
    /home/user

If you want to enable public key authentication, then the following must exist too:

    /home/user/.ssh
    /home/user/.ssh/authorized_keys

My /etc/sshd_config contains:

    ChrootDirectory   /jail
    Subsystem   sftp  internal-sftp

After configuring the user's public key in /home/user/.ssh/authorized_keys, he can log on using SFTP with his private key and  could see only the following limited directory structure:

    /
    /home
    /home/user
    /cygdrive

Yes, /cygdrive is there too and stragely but fortunately, it is empty. I didn't copy /bin/bash to the jailed directory. So interactive session using SSH will fail (which is what I want).

As far as I am concerned, user's view is restricted enough to what I allow them to see and do. If I revoke user's rights to write to any directory except /jail/home/user, then he should only be able to upload files to his jailed home directory.

My question is, how secure is Cygwin as SFTP server set up this way? Is there any security hole I don't know yet?




      

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list