DSM-G600, DNS-3xx and NSA-220 Hack Forum

mastervol wrote:

from what i read i would need to install debian in order to grant only sftp, restrict ssh to root and restrict sftp users to a certain directory and sub directories.
i am searching for a solution without debian.
...
now i believe it's not a good idead to chmod all directories in order to restrict 1 user or group to a certain directory, right?

This question has been asked quite a few times, but it seems nobody really explored all the options, yet.

Afaict, the only way to restrict access in a ssh shell the way you want is to create a chroot environment. This is rather simple, and you can use ffp for that. Still, I don't think is worth the effort on a box like the DNS-323.

Chroot'ing sftp also doesn't seem to be hard. The following thread has some useful information:
http://fixunix.com/ssh/514186-sftp-serv … setup.html

Finally, unix file permissions provide a flexible and simple way to control access rights. Have a look at the pointers in the Getting started with Linux sticky post to find out how to use the permission system.

mastervol wrote:

but why do you think it's not worth it?

I think it's not worth the effort to set up _real_ chroot environments for ssh shell access. Just don't allow ssh shell access for people you don't trust.

For sftp, use the built-in ChrooDirectory option and ensure that certain users can only use sftp, but not open a shell (or use scp).

ok next try:

i did all the steps according to this: http://howflow.com/tricks/simply_share_ … ftp_chroot

1) groupadd sftponly
2) useradd -G sftponly -m testuser
3) passwd testuser
4) vi /ffp/etc/ssh/sshd_config
5) sshd_config:

#    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/ffp/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /ffp/etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /ffp/etc/ssh/ssh_host_rsa_key
#HostKey /ffp/etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile    .ssh/authorized_keys

# For this to work you will also need host keys in /ffp/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory /ffp/chroot

# no default banner path
#Banner none

# override default of no subsystems
Subsystem    sftp    /ffp/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    ForceCommand cvs server
Match group sftponly
    ChrootDirectory /mnt/HD_a2/home/%u
#    ChrootDirectory /home/%u
    ForceCommand internal-sftp
#    AllowTCPForwarding no 
#      X11Forwarding no

/etc/passwd:
root:x:0:0:Linux User,,,:/home/root:/ffp/bin/sh
admin:x:500:500:Linux User,,,:/home/admin:/bin/sh
nobody:x:501:501:Linux User,,,:/home/nobody:/bin/sh
sshd:x:33:33:sshd:/:/bin/false
testuser:x:1006:1006::/mnt/HD_a2/home/testuser:/ffp/bin/sh

/etc/group
sftponly:x:1003:testuser

in filezilla i get:
Error:    Network error: Software caused connection abort
Error:    Could not connect to server

root can login via sftp
the /home directory is owned by root
i thought maybe it has to be on /mnt/HD_a2/home but it is still the same result

i tried to activate logging via (sshd_config):
SyslogFacility AUTH
LogLevel DEBUG3

but i can't find any log file related to sshd (/vart/log or /ffp/var/log)

any idea?

*update*
i reinstalled openssh
when i add the line for chrootdirectory, sftp does not work anymore for that user

filezilla:
Error:    Network error: Software caused connection abort
Error:    Could not connect to server

shell sftp session:
Read from remote host localhost: Connection reset by peer
Couldn't read packet: Connection reset by peer

so can someone confirm that the function chrootdirectory is actually working with ffp/dns323??

Last edited by mastervol (2008-10-05 18:27:09)

Here is what I did:

I want some users to access my box over the internet through sftp without exposing the system files.

First make a user group. This can be done with the web interface or with
groupadd ftpuser

After that make a user. This user can only use sftp and does not get shell/ssh access.

adduser -G ftpuser -s /bin/false <username>

Store the password with store-passwd.sh so it'll survive a reboot

Make a directory on the nas that will be used for sftp. eg  /mnt/HD_a2/sftp/
It important that all directories leading to this directory ( /mnt/, HD_a2/ and sftp/) have 755 rights. and thay should be owned by root:root
Otherwise ssh/sftp will not work.
Go to cd / and:

chmod 755 mnt/
chown root:root mnt/

Do this with the whole path to sftp. Don't use the -R option, it's only the directory you want, not the files in it.
In the sftp/ directory you can creat a sub-directory with 777 rights (eg /incoming). Users can write files here.

Add the next lines to /ffp/etc/ssh/sshd-config

Match group ftpuser
         ChrootDirectory /<path to sftp directory>
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

Now restart your NAS or restart ssh (do this through telnet, you will be disconnected from ssh)
If it doesn't work, check the rights from every directory from / to your sftp directory.

Last edited by RunaR (2009-01-29 11:37:29)

Crap, you are right!
I did not notice it, because I have my ffp on a USB stick. Every thing just seem to work right. Is there a work a round? make a mount to the sftp directory?

Last edited by RunaR (2009-01-29 13:52:10)

I've created an extra mount with the correct rights:

mkdir /mnt/sftp
mount --bind /mnt/HD_a2/sftp /mnt/sftp
chmod 755 /mnt/sftp

and added this to my fun_plug.local

I changed the chrootDirectory in sshd-config to /mnt/sftp

This seems to work.

Last edited by RunaR (2009-01-29 13:53:53)