Restrict SFTP access while allowing SMB service with AD

nekopep

Dabbler
Joined
Oct 18, 2017
Messages
10
Hello,
I have freenas version FreeNAS-11.2-U8 configured with sshd/smb with AD integration.

I got a big security issue because I just discovered that any AD domain user can login to the server and list/read all files on / ...

#sftp DOMAIN\\user@serverip
DOMAIN\\user@serverip's password:
Connected to DOMAIN\\user@serverip.
sftp> cd /root
sftp> ls
backup etc...

I got several questions:
1/Is this standard freenas behaviour?
(perhaps I misconfigured something...)

2/How to disable SFTP access
(I got this in sshd)
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

If I comment this, is this ok, or shoud l I click somewhere in the GUI instead?

Optional:
3/why permission on / are so permissive? (eg root readable by everyone) Is this snormal? (root allow read access...) :

Code:
-rw-r--r--   2 root  wheel   887 Mar 15 20:15 .cshrc
-rw-r--r--   1 root  wheel   405 Mar 15 20:15 .profile
lrwxr-xr-x   1 root  wheel    13 Mar 15 20:15 .rnd -> /var/tmp/.rnd
drwxr-xr-x   2 root  wheel    47 Mar 15 20:15 bin
drwxr-xr-x  10 root  wheel    59 May 26 21:18 boot
drwxr-xr-x   3 root  wheel     3 Dec  7  2017 compat
drwxr-xr-x   3 root  wheel     3 Dec  7  2017 conf
-r--r--r--   1 root  wheel  6142 Mar 15 20:15 COPYRIGHT
drwxr-xr-x   7 www   www      13 Jun 23 12:03 data
dr-xr-xr-x  23 root  wheel   512 May 26 22:01 dev
-rw-------   1 root  wheel  4096 May 26 22:02 entropy
drwxr-xr-x  31 root  wheel  8128 May 27 10:53 etc
drwxr-xr-x   4 root  wheel     4 Feb  2  2018 home
drwxr-xr-x   4 root  wheel    56 Mar 15 20:15 lib
drwxr-xr-x   3 root  wheel     4 Mar 15 20:15 libexec
drwxr-xr-x   2 root  wheel     2 Mar 15 20:17 media
drwxr-xr-x   4 root  wheel   192 May 26 22:02 mnt
drwxr-xr-x   2 root  wheel     2 Mar 15 20:17 net
drwxr-xr-x   3 root  wheel    11 Feb 10  2018 nonexistent
dr-xr-xr-x   2 root  wheel     2 Mar 15 20:17 proc
drwxr-xr-x   2 root  wheel   145 Mar 15 20:15 rescue
drwxr-xr-x  12 root  wheel    33 Jun 23 11:50 root
drwxr-xr-x   2 root  wheel   132 Mar 15 20:15 sbin
lrwxr-xr-x   1 root  wheel     8 Mar 15 20:15 tmp -> /var/tmp
drwxr-xr-x  14 root  wheel    14 Mar 15 20:17 usr
drwxr-xr-x  27 root  wheel  1728 May 26 22:03 var
 

nekopep

Dabbler
Joined
Oct 18, 2017
Messages
10
I solved the issue commenting pam_winbind.so in /etc/pam.d/sshd

Not sure how I ended having such settings enabled...


root@freenas-master:~ # vi /etc/pam.d/sshd
#
# $FreeBSD: head/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#



# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient /usr/local/lib/pam_winbind.so silent try_first_pass krb5_auth krb5_ccache_type=FILE
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
#account sufficient /usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
#password sufficient /usr/local/lib/pam_winbind.so try_first_pass krb5_auth krb5_ccache_type=FILE
password required pam_unix.so no_warn try_first_pass
 
Top