Doubt about SFTP connection - SFTP Plugin

  • Hi :)


    Here is my question on SFTP, as per i'm a little confuse at the moment.


    I'm using the letsencrypt container from linuxserver and registered a domain on duckdns.


    Just tried with WinSCP and i can connect to my domain using its name registered on duckdns on a port that i have forwarded to port 22. That's ok.


    What i do not understand is, is this secure? Is this connection using the certificate created by the letsencrypt container?


    I see in WinSCP that i'm using SSH-2, and AES 256 algo.

  • SFTP is being handled by the sshd daemon. There is no involvement with your letsencrypt container and certificate.


    SFTP and sshd are very secure so long as you don't lose control of your passwords and keys (if used).

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Thanks!


    In WinSCP i read also the server key host fingerprint". How this come from?


    And also, if i create another user, and set particular Privilages for that user on the shared folder, he can access the same way i do, with his own password and see only the sharedfolder i have setup for him with the Privileges?

  • The server key fingerprint is sent over the connection from the sshd server, the idea being that whoever is running the server will provide this fingerprint to you in some other way - email, text message, phone call, etc.


    Then when you connect to the server and compare the fingerprints you will see they are the same so you are connected to the server you think you are connected to. If the fingerprints differ there is something in between you and the server that is intercepting the connection. This is known as a man in the middle attack and whoever is doing that will be able to intercept your password if you continue to connect.


    If you use the OMV SFTP plugin, you can set up another user but that user will be jailed in his own directory structure and unable to see the files of others. I don't use the plugin so I do not know how it interacts with OMV shared folders and privileges.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Just installed the sftp plugin. It's up and running. Added my user to the sftp-access group and edited the sharedfolder privileges for my user (sftp-access). But when i try to connect with WinSCP i have error:


    Authentication log (see session log for details):

    Using username "steakhutzeee".


    Authentication failed.


    From WinSCP log:


    Code
    2020-04-08 01:09:21.855 Using stored password.
    . 2020-04-08 01:09:21.892 Sent password
    . 2020-04-08 01:09:21.906 Access granted
    . 2020-04-08 01:09:21.906 Opening main session channel
    . 2020-04-08 01:09:22.952 Network error: Software caused connection abort
    * 2020-04-08 01:09:23.031 (EFatal) Network error: Software caused connection abort
  • steakhutzeee

    Changed the title of the thread from “Doubt about SFTP connection” to “Doubt about SFTP connection - SFTP Plugin”.
  • I have no ideas. I do not use the SFTP plugin and I have no Windows machines so no WinSCP here either.

    --
    Google is your friend and Bob's your uncle!


    OMV AMD64 5.x on ASRock Rack C2550D4I C0 Stepping - 16GB ECC - Silverstone DS380 + Silverstone DS380 DAS Box.

  • Did you edit the privileges before or after adding to the sftp access list? Are you editing privileges or ACLs? What filesystem? I have used this plugin a lot and don't think this is a problem with the plugin or WinSCP.

    omv 5.5.11 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Did you edit the privileges before or after adding to the sftp access list? Are you editing privileges or ACLs? What filesystem? I have used this plugin a lot and don't think this is a problem with the plugin or WinSCP.

    Privileges edited after adding the sftp access list. Editing proviliges, not ACLs. My sharedfolders are on ext4 HD.

    Tried to remove the sharedfolder from the access list and add it again. Same issue.

  • Privileges edited after adding the sftp access list.

    This should really be done the other way around. I would delete the current entries in the sftp access list and recreate them after making sure all privileges are already setup.

    omv 5.5.11 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • After some more testing and depending on how you installed, the root folder / might have the wrong permissions for chroot. They should be 755 but the plugin should not be responsible for changing that.

    sudo chmod 755 /


    And /sftp should be 755 but it looks like saltstack is making it 777 even though I specify 755 in the code. I will find a way to make sure that is correct in the plugin but it is easy to fix:

    sudo chmod 755 /sftp


    After that, I had no issues with the plugin.

    omv 5.5.11 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Issued both commands you posted and issue is fixed. Thanks!

  • Last question, maybe a dumb one, using this method will not prevent the user (me in this case) to connect to SFTP via port 22 and see the entire root dir? I tried just now and i can access without issue also to that.


    EDIT: I suppose this happens because I'm in the ssh group.


    Could be possible to set granular permissions for the subfolders of the sharedfolders? Should use ACL?

  • Could be possible to set granular permissions for the subfolders of the sharedfolders? Should use ACL?

    I hate ACLs and have never needed them. If you set permissions by folders, you could do it by sharedfolders. You will just have to try the options and see what works best for you.

    omv 5.5.11 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I have just added a second user to the system in groups (users, sftp-access).


    I see i can set privileges for sftp-access generally, but i can overwrite that setting with custom privileges for every user.


    So basically for sharefolder "A", sftp-access group has read/write access. But i can set for User1 and User2 different privileges. For ex. User2 can only read, so connecting in sftp no file can be deleted. Correct?

  • @ryecoaaron Group sftp-access is set to read-only on a particular shared folder. When configuring that folder in sftp plugin for a new user OMV says that the user does not have read-only or read/write permissions. So what is the use of the sftp-access options in the priviliges if i have to set the priviliges manually for every user?


    And another issue is that i can only see the logs for my user in SFTP from "System Logs" tab, in fact i have the dev folder when connecting. Rsyslog is enabled, but there is no logging in SFTP for the second user i just created. It's part of users and sftp-access groups. In syslog instead i can see the user started his session.


    Tried to delete the user completely and also remove it from sftp access list and add it again but the issue persists.

  • Group sftp-access is set to read-only on a particular shared folder.

    The plugin does nothing with group permissions.

    When configuring that folder in sftp plugin for a new user OMV says that the user does not have read-only or read/write permissions. So what is the use of the sftp-access options in the priviliges if i have to set the priviliges manually for every user?

    The group determines if the user is chroot'd when sftp'ing in. It would be a major pain to add/maintain a folder to every share for every user that sftp-access has permissions too. How many users are you giving privileges too?

    And another issue is that i can only see the logs for my user in SFTP from "System Logs" tab, in fact i have the dev folder when connecting. Rsyslog is enabled, but there is no logging in SFTP for the second user i just created. It's part of users and sftp-access groups. In syslog instead i can see the user started his session.

    The plugin adds the rsyslog entry. It can't really do much more if your system is not logging anything to syslog. Not sure how to fix this.

    omv 5.5.11 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.6
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • The plugin does nothing with group permissions.

    The group determines if the user is chroot'd when sftp'ing in. It would be a major pain to add/maintain a folder to every share for every user that sftp-access has permissions too. How many users are you giving privileges too?

    The plugin adds the rsyslog entry. It can't really do much more if your system is not logging anything to syslog. Not sure how to fix this.

    What I am saying is that when checking privileges for shared folders, apart from my user and the other one I created I see also the sftp-access. Like it's an user. So the question was, what's the use of the sftp-access entry in the shared folders privileges if at the end the privileges are to be set per user?


    Regarding the log, that fixed on its own.


    EDIT: I have attached what I see in the privileges tab for every single shared folder.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!