sFTP, share folders, security

  • Hello,


    I have been trying to access my OMV data from OpenVPN, while the accessibility is easy i'm not having optimal performance.


    So i wanted to try sFTP, since it's a direct protocol unlike OpenVPN where you still need to use another protocol to transfer data (SMB, FTP...).


    I have enable sFTP pluggin, give access to one of my user with a specific share folder, however when i connect to the sFTP i'm on the root folder of my system instead of the folder i specified!! How come?


    Another question would be regarding security, the consensus seems to be that sFTP> OpenVPN+FTP, why's that? because from what i understand i'm connecting to OPenVPN whith a key thats is stored in my client thats seems quite large while with sFTP i will be using a simple password to access it via port forwarding on my ISP box, right?


    Thank you.

  • I run SFTP server on my OMV box but I do not use the plugin. I use the same basic chroot setup I have been using for more than 15 years which is fairly easily configured by hand and well documented on the internet. I allow password logins but protect against brute forcing with denyhosts, and do not expose it on the standard port 22.


    I do not know why the SFTP plugin is not properly chrooting. Maybe try removing the plugin and try again, but as I said I do not use it myself. Are you connecting to the correct port?


    Connecting to a SFTP server only requires simple client software as opposed to a more complicated client side OpenVPN setup. I can't say which is more secure and I think any differences would be minor, assuming best practice setups.


    Having said that, using public/private keying may be more secure than access via password in that passwords can be brute force attacked. But with good strong passwords and server side protection against brute force attacking, it makes little practical difference so long as the private keys are protected from theft and well protected with good strong passwords - not something everybody does well enough - lazy people will run with no password protection on their private keys and have setups that do not rule out private key theft and log snooping to see where the users are connecting to.


    Also, not allowing password access and requiring public/private keying does not prevent people from tying to login with passwords, and these attempts will flood your logs if you don't protect the server against brute force attacks. Not allowing password access just means that password access is guaranteed to fail.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

    Edited once, last by gderf ().

  • I do not know why the SFTP plugin is not properly chrooting. Maybe try removing the plugin and try again, but as I said I do not use it myself.

    It should unless the user and share are configured wrong.

    I have enable sFTP pluggin, give access to one of my user with a specific share folder, however when i connect to the sFTP i'm on the root folder of my system instead of the folder i specified!! How come?

    Did you add the user to the sftp-access group? The user will only be chroot'd if they are in the sftp-access group - https://github.com/OpenMediaVa…diavault/mkconf/sftp#L109

    omv 5.5.6 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.5
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Thanks gderf for the security insight, i will look at denyhost and public/private keys.


    It should unless the user and share are configured wrong.

    Did you add the user to the sftp-access group? The user will only be chroot'd if they are in the sftp-access group - https://github.com/OpenMediaVa…diavault/mkconf/sftp#L109

    Yes my user is in the sftp-access group.


    I have also seen that the permissions for the shares were not configured on my sftp-access group, but even with that configured i'm still on root folder for this user.


    I also checked my permissions on this user using sFTP, and i have all permissions on my shred folders while i configure only read access for the user AND sftp-access group.
    If i use SMB or FTP the permissions are right.



    Edit: i finally only access the folder shared in the "access list" tab on sFTP, there was an option "allow access to sftp-access group only" that i didnt ticked...silly me...sorry baout that.


    Only permission issue remain, i still have all access on non system files (since my user is only a User) while it only have read permissions

  • OMV connect root


    # groupadd -r sftpusers
    # chown root:root /media/YouSftpShareFolder
    # chmod 755 /media/YouSftpShareFolder
    # exit


    WebPanel OMV:


    Create new group: SftpAccess
    Create new user: SftpUser (select SHELL /bin/false)
    Add SftpUser to SftpAccess


    SSH Extra options add:



    # External access sftp /media/YouSftpShareFolder
    Match Group Sftp-Access
    ForceCommand internal-sftp -u 0002
    PasswordAuthentication yes
    ChrootDirectory /media/YouSftpShareFolder
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no


    Clik button -> Save

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!