access restrictions for openssh - ssh

I would need some advice for those who want to help :
I have a linux server, and I want to provide an ssh (openssh) access to services like rsync, and sftp, for a specific user (extuser).
1) I'd like to restrict extuser to only process rsync or sftp, no other commands
2) extuser needs to read/write some specific directories, so I want to restrict what he can see and where he can write.
3) I'd read some about rbash or lshell, but i wanted to know if by "basic" configuration of openssh, without adding specific tools, i could manage it ?
Here is my reflexion (not very far, sorry)
For the 1) If i had only rsync to deal with, i've seen the rrsync script that is really helpfull :) But how to add the sftp restriction ? I've read about the "command=" in authorized_keygen and the use of variable SSH_ORIGINAL_COMMAND, but not sure if it is mainly dedicated for ssh command explicitely used (i.e ssh user#host "mycommand"), not for command that "internally" use ssh like rsync or sftp ?
For the 2), I think the chroot option for sftp will help
If you have any advices, remarks, are if you see i'm going in wrong way, i'd apreciate some returns :)
Thanks a lot :)

Ok, so it appears that the chroot can fullfill all the needs, since it's up to me to choose the commands i want to allow in the "chrooted" bin :)
So no commands restrictions by openssh configuration, but by chroot arborescence. And therefore i don't seem to need extra tools :)

Related

Is there a way to do SSH password-less login when the server only allows keyboard-interactive authentication?

Suppose I've got a server foo.com which only allows keyboard-interactive authentication, and that I can't change this. This means I can do,
sshpass -p PASSWORD ssh foo.com
but I can't create public/private keys to log in without a password.
Now, I could just create an alias ssh_foo="sshpass -p PASSWORD ssh foo.com", but then I have to create aliases for scp, for sftp, and in general it won't work for any other programs that use these, e.g. graphical programs based on sftp which mount remote folders. So I'm looking for a more generic solution.
In particular, is there any way to set up my .ssh/config file to allow password-less login in this case? This should then work for everything. I feel like some clever combination of ProxyCommand and LocalCommand might do it, but I can't figure out what.
(Note, I do understand the security implication of this, I'm just curious if you can do it)
Have you attempted using expect? According to the documentation it "[Expect] is a tool for automating interactive applications such as telnet, ftp, passwd, fsck, rlogin, tip, etc."
The Wiki Page for except is also a very good resource for examples as the ones on the Expect page are broken.
You can also use plink which you can download and compile. You can use the -pw argument to automate this.

chroot with SSH and SFTP

I'm stuck on something quite complicated it seems, but I'm pretty sure I'm not the first one to face this problem, still I can't seem to find someone having the same problem on any forum.
As said in the title I want to make a chroot for users that works with SSH and SFTP. I'm currently stuck with one or the other and that's not ok with me.
Following tutorials, I modified the sshd_config file and added this line as suggested:
ForceCommand internal-sftp
That allows me to connect when using a linux terminal but it's a bit tricky for windows user using putty even if it seems you can use it with psftp. But you can't use all the commands you put inside the jail env.
Does anyone has already figure this one out?
As stated before my chroot is working, so it's not really a configuration issue.
Finally I found a solution reading another tutorial.
If anyone is troubled with this another time, in sshd_config, most tutorial juste leave the subsystem line in the file by default.
To resolve my issue I just did this:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
That did the work and I can now access my server in SSH and SFTP with the chrooted accounts.
It's always just after you post on a forum that you find a solution.
Have a good day everyone.

Getting a PDF out of the SSH to the own system

Given:
Connection to the Uni's secure shell like this:
me#my_computer~$ ssh <my_name>#unixyz.cs.xy.com
Password:***********
Welcome to Unixyz. You now can access a terminal on system unixyz:
my_name#unixyz~$ ls
Desktop Documents Pictures Music desired_document.pdf
my_name#unixyz-$
Taks/Question:
Getting the desired_document.pdf to my own system. I have thought of some options so far:
1)Since i can access an editor like nano I could write a C/Java programm , compile it in the home directory and make that program send the pdf. Problem with that: Had to code a client on the Uni machine and a server on my own system. On top of that I only know how to transfer text given to the stdin and no pdf's. And its obviously too much work for the given task
2) I found some vague information about commands: scp and sftp. Unfortunately, I can not figure out how it is done exactly.
The latter is basicly my questions: Are the commands scp and sftp valid options for doing the desired and how are they used?
EDIT:
I received a first answer and the problem persists: As stated, i use:
scp me# server.cs.xyz.com:/path/topdf /some/local/dir
which gives me:
/some/local/dir: no such file or directory
I'm not sure in which environment you are.
Do you use Linux or Windows as your every-day operating system?
If you are using windows, there are some ui-based scp/ssh implementations that enable you to transfer these files using an explorer based ui.
For example there is https://winscp.net/
You can indeed use scp to do exacty that, and it's easier than it might look:
scp your_username# unixyz.cs.xy.com:path/to/desired_document.pdf /some/local/dir
The key is the colon after the servername where you add your path
Optionally you can pass in the password as well, but that's bad practice, for obvious reasons.
I actually got the answer myself and the error that I was having. Both, the guy with the answer and the commentor where right. BUT:
scp must be launched when you are in YOUR terminal, I always tried to do it while I was connected to the remote server.
2 hours wasted because of that.

SSH Key Authentication [Hesitance?]

I guess I'm being a little hesitant but I deal with vcs's occasionally and always get asked for some sort of prompt, of course I'm attempting to access an external machine which I'm sshing into.
Basically my question is, say I don't have root access on this machine, would it still be possible to set this up? I've skimmed through reading it a couple times and I'm pretty sure I got the method down - you generate pub/private keys, sftp to the machine and throw your public into some authorized_keys directory. How is this managed with multiple users for example? Could the generic file name ( the .pub ) get overwritten, or am I completely misunderstanding the process here and it's setup to allow multiple keys natively?
If I'm not a sudoer and one of the server's directories needs to be chmod'd to say 700 whereas it's 655, I can't really do anything other than ask for su access, right?
If you have ssh access to the remote machine, you can generate the key pair on your local machine, add the public key to the authorized_users file on the remote machine, and then use this for authentication. You don't need root privileges to do this. The keys and authorized_files usually reside under your home directory ( myhome/.ssh/authorized_keys etc) so they don't get confused between users.
Your questions about setting directory permissions is unrelated, but if you own the directory or its parent (or its parent...) you will be able to set any permissions on the file in that directory.
Sounds to me like it might be time to curl up with a general *nix administration book, perhaps? Not light reading, but it can be useful and I always find it most informative to learn the details when I'm actually struggling with them.
I ssh all the time into a machine that allows su or sudo. But, it's set up not to allow ssh via "ssh root#machine". So to answer your question, yes it's possible.
You can only change the directory permissions if you own the directory or if you have root access.

Using expect to pass a password to ssh

How can I use expect to send a password to an ssh connection.
say the password was p#ssword
and the ssh command was
ssh me#127.0.0.1
What would I do with expect to a make it input the password when it says
me#127.0.0.1's password:
?
The proper action of using an SSH key pair isn't an option because I would have to use ssh (scp) to put the key on the server, which would ask for a password.
I always used the "proper" solution, but I used expect in other situations.
Here I found following suggestion:
#!/usr/local/bin/expect
spawn sftp -b cmdFile user#yourserver.com
expect "password:"
send "shhh!\n";
interact
Would it not be easier to use public key authentication and use a key with no passphrase?
As the user on the source machine do this to make an RSA key
ssh-keygen -t rsa
Now copy ~/.ssh/id_rsa.pub to the target machine and append it to the authorized_keys file of the target user
Your quickest way forward (unless you want to become a Tcl expert, which would be... unusual... in 2009) is probably to use autoexpect. Here's the man page:
http://expect.nist.gov/example/autoexpect.man.html
In short, fire up autoexpect, run your ssh session, finish up what you need to do, stop autoexpecting and then beat your keyboard over the resulting mess until it works :) I'm assuming you don't need anything more than a quick hack to get your keys sorted out and then, well it sounds like you know the score already with that.
And there's this question which already contains an example close to what you seek.
Cygwin has autoexpect just not in the bin package. run setup.exe and search for expect and check the source checkbox. you will see the resulting tree in /usr/src and in there there is a expect/expect/examples directory. in there lives a copy of the autoexpect script.
Key solution will not work... because the keys have to be readable only by the person running ssh. On xp you cannot create key structure with the correct permissions. So ssh will not read them. This may have changed, but last i checked it still not not work.
I'm pretty sure it is not possible to do what you're trying to do. Most *nix applications that prompt for a password read from the TTY directly, not stdin, so you can't pipe the password in. You can, as others have mentioned, configure SSH to not prompt for a password, as explained here.
After I was downvoted for no apparent reason, I went and did a little more research on the expect command and discovered that it has a send_tty command that sends to /dev/tty instead of stdin, which might actually do what you want... I was previously unaware of this feature. I still recommend putting the key on the server, however.