SFTP with AD authentication and folder Isolation

[John Behmke]

Hi,

New to FreeNAS. Looking to setup SFTP with AD authentication. Witch I have done and is working. The only thing I need is to be able to isolate users to their own folders and give direct access to just their folders from the share too...

Also would ere be a way to grant temp access to outside venders to specific folders too?

Thanx or any help you can give

 

[anodos]

Are you sharing through multiple protocols(i.e. SMB and SFTP) or just SFTP?

 

[John Behmke]

We would like to do both. Have a user able to put things on the sftp folder at the office though SMB and then off sit be able to use sftp to access the same folder. If possible. I do not know fully the restrictions of this system.

 

[anodos]

We would like to do both. Have a user able to put things on the sftp folder at the office though SMB and then off sit be able to use sftp to access the same folder. If possible. I do not know fully the restrictions of this system.

There are a few problems with doing SFTP + SMB access. In order to securely provide SFTP access, you need to set up an "SFTP Chroot".
For instance, your shares are something like

• /mnt/Tank/Samba/share1
• /mnt/Tank/Samba/share2
• /mnt/Tank/Samba/share3

you will need to chroot /mnt/Tank/Samba. Setting up an SFTP chroot requires very specific privileges and is not consistent with it simultaneously being a samba share [SMB]. You might be able to configure /mnt/Tank/Samba as the chroot directory and then /mnt/Tank/Samba/share{1,2,3} as samba shares. I haven't done this personally because:

SFTP clients do not understand SMB2 leases and oplocks. There is no way that an SFTP client can know whether a file in an SMB share is open by another user. This can lead to file corruption or files changes being accidentally overwritten / clobbered.

These are the reasons why setting up a proper VPN with a proper network design involving security zones limiting what remote users / vendors can access is vastly preferable to plain-jane SFTP access to a samba share.

As far as vendor accounts go, do that through Active Directory. If you have AD, all user accounts should be handled through it. This allows better integration with security tools. Remember that vendor backdoors are one of the easiest ways to compromise a network.

 

[John Behmke]

Ok lets take SMB out of the picture. I just need to have the SFTP have isolation fro users. Say Jim Smith Username smithj logs in. I want him to have his own folder that only he can see. Then I want Lisa Jones username jonesl to login and only see her folder. I can also se down the road that they might want to have folder that all users can see or certain groups of users can see if possible.

 

[anodos]

Ok lets take SMB out of the picture. I just need to have the SFTP have isolation fro users. Say Jim Smith Username smithj logs in. I want him to have his own folder that only he can see. Then I want Lisa Jones username jonesl to login and only see her folder. I can also se down the road that they might want to have folder that all users can see or certain groups of users can see if possible.

Well, post #5 in this thread will get you started
https://forums.freenas.org/index.php?threads/set-ad-user-sftp-home-folder.45082/

The rest is just a matter of setting permissions properly.

 

[John Behmke]

I am able to get all domain users to log into SFTP. I am sill not able to get user isolation. Tey all still see the root folder with no isolation. I want the users to be able to get on to the SFTP and only see thier own folder nothing more. I dont want them to be able to see other users folders or access them.

This is what I have in the sshd_config file:

Match Group SFTPUSERS
ChrootDirectory /mnt/BabulThorn/SFTP
ForceCommand internal-sftp
PasswordAuthentication yes
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no

I aded the SFTPUSERS group to the FreeNAS and I have the smae group name in AD. (I added a few test users the the ad group so I can test it)

/mnt/BabulThorn/SFTP is set as the Home Directory for sshd user
/mnt/BabulThorn/SFTP owner user is root
/mnt/BabulThorn/SFTP Owner group is wheel

Please help.....