OpenSSH Windows Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My company has a requirement for secure file transfer. We are limited
to windows server 2003. I have successfully setup OpenSSH via cygwin on
this server.

The problem I am having is that I cannot seem to figure out how to
isolate users. They are permitted to travel up the directory structure
into the cygwin directories. Granted it is only read access, but how
can I lock them into their home directory?

I have tried chaning permissions on the parent directories, but as soon
as I do, the user can no longer log in.

Re: OpenSSH Windows Security

Maybe setting up chroot cages would help?

Kind regards

Re: OpenSSH Windows Security

Erik Naslund wrote:

Quoted text here. Click to load it

You need to put them in a chroot jail. Don't know about Cygwin, but
instructions for doing this with OpenSSH in a "real" *nix environment
can be found here...

OPenSSH really isn't the best choice if you just need to move files.
It is, as the name implies, a "shell" which needs certain things to
function. This makes chrooting users much more difficult.

Re: OpenSSH Windows Security

I can prevent them from having shell access by changing their default
shell varialble to /usr/sbin/sftp-server or the like.

The goal is to only allow SFTP/SCP access and to lock them into their
home directories. As far as I know, OpenSSH is the only option for
secure file transfer in windows. (welcoming alternatives at this point)

I will have a look at the link you provided and see what mileage I can
get with cygwin. I will post the results.

TwistyCreek wrote:
Quoted text here. Click to load it

Re: OpenSSH Windows Security

Quoted text here. Click to load it

There is also SFTP and FTP/TLS-SSL.  Serv-u and other Windows ftp servers
provide directory limits.

The user experience is not a transparent Windows Explorer sort, though.


Re: OpenSSH Windows Security

nemo_outis wrote:

Quoted text here. Click to load it

SFTP is typically defined as using an SSH capable FTP client to connect
to an SSH server. It uses the "native" commands on the server to provide
directory services, and needs to be secure exactly like a "raw" SSH
session would be with respect to up-level directory access.

There is a server daemon named SFTP, but it also allows access to all
the directories a user has permission to access, and requires that
permissions be set in such a way that access to $FTPROOT is allowed for
all users. The same problem the OP is running up against with SSH
I think. :-(

Quoted text here. Click to load it

FTPS and a proper FTP server would be my choice, and with the right
file manager on the client side moving files back and forth could be as
transparent as moving them from folder to folder on your own machine
(does Tuxcmd have a Windows port)? <g> It wouldn't be all that
complicated to script the whole thing if these file transfers followed
patterns or routine.

My second choice would be a full blown VPN solution, FWIW. Second to
FTPS only because I think it's a little bit of an over kill for the
problem the OP is trying to solve.

Quoted text here. Click to load it

Are there no VFS "plugins" for Windows file managers?

I knew there was a reason I dumped all things Windows years ago. ;-)

Re: OpenSSH Windows Security

Borked Pseudo Mailed wrote:

Quoted text here. Click to load it

Try Novell NetDrive (but be aware of the improper ACLs set by the
installer). It allows you to mount FTPVFS with FTPS as a net drive.

Quoted text here. Click to load it

There are, but only third-party.

Re: OpenSSH Windows Security

Borked Pseudo Mailed wrote :
Quoted text here. Click to load it

A full blown VPN is maybe a bit heavy, but today, most versions of
Windows make establishing IPSEC tunnels between too machines (IP
addresses) very easy. Wouldn't that be a simple and good choice for
solving the problem of the OP?

A page with links to IPSec Resources for Windows 2000:

IPSec tunneling resources:

Kind regards,
Nomen Nescio

Re: OpenSSH Windows Security


Quoted text here. Click to load it

Try putty instead - small, fast, nice gui. /

 Vista error#4711: TCPA / RIAA / NGSCP / WGA VIOLATION: Microsoft
 optical mouse detected Linux patterns on mousepad. Partition scan in
 progress to remove offending, unapproved products. Request permission,
 and apply for a new key to reactivate MS software at


Re: OpenSSH Windows Security

Quoted text here. Click to load it

VanDyke VShell Server is what our company ultimately implemented for
windows ssh/scp due to several issues with cygwin/openssh on the
windows side.  

If you can't get openssh to get where you wanna go with cygwin on
windows, this may be worth looking into.  

There are also dedicated ssh newsgroups where mega ssh gurus hang out
and could tell you best practices.

Best Regards,
Todd H. /

Re: OpenSSH Windows Security


If you have a bit of cash (relative), BitVise provide an easy-to-install and
manage OpenSSH server + commercial support. /

There are a couple of other providers but these guys seem ok to me.

Hope this helps.


Quoted text here. Click to load it

Re: OpenSSH Windows Security


I installed OpenSSH for Windows on a Windows 2003 server.  As long as
my server userid has admin privilege, I can use that id to remote
connect from the Net using SFTP client.  

However, my SFTP client connection will be rejected with "access
denied' error if the windows id has only "Users" privilege, even thought
I had verify that the directory was created and assigned all privilege
for thelogin id under the SFTP home root directory.  As soon as I added
admin privilege to the login id, it all works but you would understand
that I do not want all SFTP user to have admin right.

So what how do I resove this access problem?



View this thread:

Site Timeline