for the chroot, it seems that root:root must be the owner of the chroot /var/lib/nethserver/home/%u, I do not knwow about messing we could make :-?
First of all thanks to @flatspin for pointing out that the .p12 files are world readable. That is a security issue and a fix was released.
The bug is recorded here: https://github.com/NethServer/dev/issues/6000
Thanks to @dixan83 for raising the issue of SFTP. I think the current configuration is far from being perfect but it is not wrong. Let’s open a new topic under the #feature category and decide what we want to achieve with the SFTP server. What features are needed? What the admin can change and user can do with it, provided that backward compatibility with the current system behavior is preserved.
Thanks to @stephdl for the configuration development hints. I’ve a chroot SFTP configuration too in a non-NS system. It set chroot for a group of users. This is an excerpt:
Subsystem sftp internal-sftp -u 0002
Match Group sftpusers
ChrootDirectory /home
Match all
3 Likes
@davidep thanks for the reply. Please, take a look that sftp access remains enable and accessible with shell permission option disabled via the GUI. That will be the main issue to solve because is critical. The other issues detected started with ftps access as the main root cause.
Expected behavior: no shell allowed then no sftp access also. That will minimize the impact until the developer team solves the other issues related.
Again, thanks for all.
Regards!
Dx
SFTP is always available to any system user.
The UI label could be ambiguous. In Cockpit it is “Shell”, in nethgui it is “Remote shell (SSH)”. I prefer the first, because it tells what it does.
That checkbox switches the user shell in passwd database from /bin/bash to /usr/libexec/openssh/sftp-server.
This could be a new feature: grant sftp to certain users/groups. Now it is always “everyone”.
1 Like
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.