sFTP, share folders, security

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • sFTP, share folders, security

      Hello,

      I have been trying to access my OMV data from OpenVPN, while the accessibility is easy i'm not having optimal performance.

      So i wanted to try sFTP, since it's a direct protocol unlike OpenVPN where you still need to use another protocol to transfer data (SMB, FTP...).

      I have enable sFTP pluggin, give access to one of my user with a specific share folder, however when i connect to the sFTP i'm on the root folder of my system instead of the folder i specified!! How come?

      Another question would be regarding security, the consensus seems to be that sFTP> OpenVPN+FTP, why's that? because from what i understand i'm connecting to OPenVPN whith a key thats is stored in my client thats seems quite large while with sFTP i will be using a simple password to access it via port forwarding on my ISP box, right?

      Thank you.
    • I run SFTP server on my OMV box but I do not use the plugin. I use the same basic chroot setup I have been using for more than 15 years which is fairly easily configured by hand and well documented on the internet. I allow password logins but protect against brute forcing with denyhosts, and do not expose it on the standard port 22.

      I do not know why the SFTP plugin is not properly chrooting. Maybe try removing the plugin and try again, but as I said I do not use it myself. Are you connecting to the correct port?

      Connecting to a SFTP server only requires simple client software as opposed to a more complicated client side OpenVPN setup. I can't say which is more secure and I think any differences would be minor, assuming best practice setups.

      Having said that, using public/private keying may be more secure than access via password in that passwords can be brute force attacked. But with good strong passwords and server side protection against brute force attacking, it makes little practical difference so long as the private keys are protected from theft and well protected with good strong passwords - not something everybody does well enough - lazy people will run with no password protection on their private keys and have setups that do not rule out private key theft and log snooping to see where the users are connecting to.

      Also, not allowing password access and requiring public/private keying does not prevent people from tying to login with passwords, and these attempts will flood your logs if you don't protect the server against brute force attacks. Not allowing password access just means that password access is guaranteed to fail.
      OMV 4.x - ASRock Rack C2550D4I - 16GB ECC - Silverstone DS380

      The post was edited 1 time, last by gderf ().

    • gderf wrote:

      I do not know why the SFTP plugin is not properly chrooting. Maybe try removing the plugin and try again, but as I said I do not use it myself.
      It should unless the user and share are configured wrong.

      wolf69 wrote:

      I have enable sFTP pluggin, give access to one of my user with a specific share folder, however when i connect to the sFTP i'm on the root folder of my system instead of the folder i specified!! How come?
      Did you add the user to the sftp-access group? The user will only be chroot'd if they are in the sftp-access group - github.com/OpenMediaVault-Plug…diavault/mkconf/sftp#L109
      omv 4.1.17 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.13
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Thanks gderf for the security insight, i will look at denyhost and public/private keys.

      ryecoaaron wrote:

      gderf wrote:

      I do not know why the SFTP plugin is not properly chrooting. Maybe try removing the plugin and try again, but as I said I do not use it myself.
      It should unless the user and share are configured wrong.

      wolf69 wrote:

      I have enable sFTP pluggin, give access to one of my user with a specific share folder, however when i connect to the sFTP i'm on the root folder of my system instead of the folder i specified!! How come?
      Did you add the user to the sftp-access group? The user will only be chroot'd if they are in the sftp-access group - github.com/OpenMediaVault-Plug…diavault/mkconf/sftp#L109
      Yes my user is in the sftp-access group.

      I have also seen that the permissions for the shares were not configured on my sftp-access group, but even with that configured i'm still on root folder for this user.

      I also checked my permissions on this user using sFTP, and i have all permissions on my shred folders while i configure only read access for the user AND sftp-access group.
      If i use SMB or FTP the permissions are right.


      Edit: i finally only access the folder shared in the "access list" tab on sFTP, there was an option "allow access to sftp-access group only" that i didnt ticked...silly me...sorry baout that.

      Only permission issue remain, i still have all access on non system files (since my user is only a User) while it only have read permissions

      The post was edited 2 times, last by wolf69 ().