RE: Ssh running on windows

Hello Sorin,
WinSCP, as well as other applications, require that the logged in user
have access the the /etc and /bin folders. If you want to restrict
access, then what you want to do is called Jailing the user. When you
setup a root jail, you will need to make a copy of the /bin and /etc
folders into a new folder in the user's home directory, or place the
users' home directories in a jailed folder. One possible directory
structure for a jail might look like this:

/
/bin
/etc
/jail
/jail/bin
/jail/etc
/jail/home
/jail/home/user1

The user's home directory (in /etc/passwd) would then have to be
modified. Also, depending on which chroot patch you implement, you
might have a /etc/chrootusers file to configure. Which brings us to the
next issue, to implement the chroot jail, you will most likely have to
obtain the openSSH source code, and download/apply one of the many
chroot patches, then build the openSSH.exe manually. Also, remember
that /cygdrive/c is a path that exposes the C:\ contents, so even if you
implement a chroot jail, if you don't modify the mount tables properly,
the users might still be able to get to /bin by doing the following: cd
"/cygdrive/c/Program Files/copSSH/bin" , replace the path after
/cygdrive/c with your /bin directory's real patch.

So, good luck. I have not checked the recent copSSH bin, but if you
search google for implementing this patch into the copSSH, you will
probably find a request from me asking it be added, as it was not a part
of the distribution back when I used copSSH a lot.

Regards,
Armand

-----Original Message-----
From: ssh@erdelynet.com [mailto:ssh@erdelynet.com] On Behalf Of
Sorin@Gmail
Sent: Monday, June 25, 2007 7:46 AM
To: ssh@erdelynet.com
Subject: RE: Ssh running on windows

Welsh, Armand <> scribbled on Monday, June 25, 2007 4:06 PM:

Solved the problem, I think it just needed more than the default five
minutes to synch between the DC:s. It works now.

Instead I have another problem...

Using WinSCP to transfer files, when the user clicks the "/" button on
the remote server, they're allowed to see the contents of <c.\program
files\openssh>. What's worse is that they can even view the contents of
the passwd-file. I don't think that is such a good idea to allow regualr
users.

I finally managed to disallow users from at least seeing the contents of
the etc-folder. Disallowing them from seeing the other folders like bin,
and thus the makepasswd.exe and makegroup.exe executables, disables the
user from logging in at all.

Is there any way to make a nicer and cleaner thing hiding stuff, than
the solution I already have?

> I am not sure, but I think you have to grant the user the login local
right
> to the server. Can anyone confirm this?
>
> Armand
>
>
> Armand Welsh
> --------------------------
> Sent from my BlackBerry Wireless Handheld
>
>
> ----- Original Message -----
> From: ssh@erdelynet.com <ssh@erdelynet.com>
> To: ssh@erdelynet.com <ssh@erdelynet.com>
> Sent: Sun Jun 24 06:01:27 2007
> Subject: Ssh running on windows
>
> Hi all,
>
> I set up ssh on a win2k3-server according to instructions from
> sshwindows.sourceforge.net, in order to allow a few users to connect
> securely
> to my ftp-server.
>
> Upon connecting with WinSCP from a client to the server, it works if I
use
> an (domain) admin account, but not a regular (domain user) account. I
get
> as far
> as being asked to re-enter the password. On entering it and pressing
ok, I
> get
> asked to enter password again. A bit strange.
>
> Am I missing anything?
>
> Group and passwd files created and looks ok as far as I can tell. Have
also
> checked that the right port is being used(22), using the right
password and
> user-id and connecting to right server-ip. The opensshd-service is
installed
> and started.
>
> Can anybody give me a hint as to what might be wrong?
>
> Thank you in advance.
>
> --
>
> BW
> Sorin
> ---------------------------------------------
> http://home-skynet.servehttp.com/
> Public GPG-key: http://http://home-skynet.servehttp.com/files/GPG
> Still a proud member of TEAM OS/2.
> Mountainbiker [Kona Kilauea - Member of Equipe Les Cafards VTT]
> Motorcyclist [BMW R100RT-'91]
> MCSE, MCP+I, MCP, A+ [Knowledge is power!]
> ---------------------------------------------
>
> () ascii ribbon campaign - against html e-mail
> /\
>
>
>
>
> --
> List Info: http://erdelynet.com/ssh-l/
> List Archives: http://erdelynet.com/archive/ssh-l/
> To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com

--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com
--
List Info:      http://erdelynet.com/ssh-l/
List Archives:  http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Mail mailto:ssh+unsubscribe@erdelynet.com