Doubt about SFTP connection - SFTP Plugin

  • Hi :)


    Here is my question on SFTP, as per i'm a little confuse at the moment.


    I'm using the letsencrypt container from linuxserver and registered a domain on duckdns.


    Just tried with WinSCP and i can connect to my domain using its name registered on duckdns on a port that i have forwarded to port 22. That's ok.


    What i do not understand is, is this secure? Is this connection using the certificate created by the letsencrypt container?


    I see in WinSCP that i'm using SSH-2, and AES 256 algo.

  • SFTP is being handled by the sshd daemon. There is no involvement with your letsencrypt container and certificate.


    SFTP and sshd are very secure so long as you don't lose control of your passwords and keys (if used).

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Thanks!


    In WinSCP i read also the server key host fingerprint". How this come from?


    And also, if i create another user, and set particular Privilages for that user on the shared folder, he can access the same way i do, with his own password and see only the sharedfolder i have setup for him with the Privileges?

  • The server key fingerprint is sent over the connection from the sshd server, the idea being that whoever is running the server will provide this fingerprint to you in some other way - email, text message, phone call, etc.


    Then when you connect to the server and compare the fingerprints you will see they are the same so you are connected to the server you think you are connected to. If the fingerprints differ there is something in between you and the server that is intercepting the connection. This is known as a man in the middle attack and whoever is doing that will be able to intercept your password if you continue to connect.


    If you use the OMV SFTP plugin, you can set up another user but that user will be jailed in his own directory structure and unable to see the files of others. I don't use the plugin so I do not know how it interacts with OMV shared folders and privileges.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Just installed the sftp plugin. It's up and running. Added my user to the sftp-access group and edited the sharedfolder privileges for my user (sftp-access). But when i try to connect with WinSCP i have error:


    Authentication log (see session log for details):

    Using username "steakhutzeee".


    Authentication failed.


    From WinSCP log:


    Code
    2020-04-08 01:09:21.855 Using stored password.
    . 2020-04-08 01:09:21.892 Sent password
    . 2020-04-08 01:09:21.906 Access granted
    . 2020-04-08 01:09:21.906 Opening main session channel
    . 2020-04-08 01:09:22.952 Network error: Software caused connection abort
    * 2020-04-08 01:09:23.031 (EFatal) Network error: Software caused connection abort
  • steakhutzeee

    Changed the title of the thread from “Doubt about SFTP connection” to “Doubt about SFTP connection - SFTP Plugin”.
  • I have no ideas. I do not use the SFTP plugin and I have no Windows machines so no WinSCP here either.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Did you edit the privileges before or after adding to the sftp access list? Are you editing privileges or ACLs? What filesystem? I have used this plugin a lot and don't think this is a problem with the plugin or WinSCP.

    omv 5.5.1 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Did you edit the privileges before or after adding to the sftp access list? Are you editing privileges or ACLs? What filesystem? I have used this plugin a lot and don't think this is a problem with the plugin or WinSCP.

    Privileges edited after adding the sftp access list. Editing proviliges, not ACLs. My sharedfolders are on ext4 HD.

    Tried to remove the sharedfolder from the access list and add it again. Same issue.

  • Privileges edited after adding the sftp access list.

    This should really be done the other way around. I would delete the current entries in the sftp access list and recreate them after making sure all privileges are already setup.

    omv 5.5.1 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • After some more testing and depending on how you installed, the root folder / might have the wrong permissions for chroot. They should be 755 but the plugin should not be responsible for changing that.

    sudo chmod 755 /


    And /sftp should be 755 but it looks like saltstack is making it 777 even though I specify 755 in the code. I will find a way to make sure that is correct in the plugin but it is easy to fix:

    sudo chmod 755 /sftp


    After that, I had no issues with the plugin.

    omv 5.5.1 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Issued both commands you posted and issue is fixed. Thanks!

  • Last question, maybe a dumb one, using this method will not prevent the user (me in this case) to connect to SFTP via port 22 and see the entire root dir? I tried just now and i can access without issue also to that.


    EDIT: I suppose this happens because I'm in the ssh group.


    Could be possible to set granular permissions for the subfolders of the sharedfolders? Should use ACL?

  • Could be possible to set granular permissions for the subfolders of the sharedfolders? Should use ACL?

    I hate ACLs and have never needed them. If you set permissions by folders, you could do it by sharedfolders. You will just have to try the options and see what works best for you.

    omv 5.5.1 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I have just added a second user to the system in groups (users, sftp-access).


    I see i can set privileges for sftp-access generally, but i can overwrite that setting with custom privileges for every user.


    So basically for sharefolder "A", sftp-access group has read/write access. But i can set for User1 and User2 different privileges. For ex. User2 can only read, so connecting in sftp no file can be deleted. Correct?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!