SSH Custom folder, active directory user

[berrick]

Hi

I have a Freenas box that is domain joined. SSH is up and running and I can use WinSCP to SFTP in with AD authentication.

I need to change the directory which is assigned when I login from /var/home/user to a specific folder but I have failed so far to accomplish this. I want to use an AD user account for the directory

Mostly I have attempted to modify the /etc/ssh/sshd_config and restarting the service after changes.

Many thanks

 

[dlavigne]

Does the desired location exist as a dataset owned by that user on the FreeNAS system?

Also, does https://winscp.net/eng/docs/faq_dir_default help at all?

 

[berrick]

Hi dlavigne thanks for the reply.

The location is a folder on a dataset but not owned currently by this user. Am I best creating a dataset specifically for this purpose with this user as the owner. As this i is an AD account will it still work? Can I still make a dataset as all disk space is allocated to the current dataset?

Yes the link provided does help as I hadn't thought about setting the remote directory in WinSCP.

That does work but the user can move freely around the file structure which I'm trying to avoid.

 

[anodos]

Hi dlavigne thanks for the reply.

The location is a folder on a dataset but not owned currently by this user. Am I best creating a dataset specifically for this purpose with this user as the owner. As this i is an AD account will it still work? Can I still make a dataset as all disk space is allocated to the current dataset?

Yes the link provided does help as I hadn't thought about setting the remote directory in WinSCP.

That does work but the user can move freely around the file structure which I'm trying to avoid.

Avoiding that requires setting up an sftp chroot for the directory.

 

[berrick]

Thanks for the reply

Avoiding that requires setting up an sftp chroot for the directory.

I know this but I'm unable to get it to work using AD users. I have never tried to do this before so don't even know if what I'm trying to do is possible?

 

[anodos]

Thanks for the reply


I know this but I'm unable to get it to work using AD users. I have never tried to do this before so don't even know if what I'm trying to do is possible?

It should be possible. Try the following in a TESTING environment:

• Create new dataset "SFTP_Data". Set permissions so that it is owned by root:Domain Admins, and has following permissions: rwxr-xr-x
• Create new AD group "SFTP_Users"
• Check the box "Use Default Domain" under Directory Service-> Active Directory.
• Add the following as an Auxiliary Parameter to your SSH config:

Code:

Match Group SFTP_Users
		X11Forwarding no
		ChrootDirectory /mnt/<your pool>/SFTP_Data
		AllowTcpForwarding no
		ForceCommand internal-sftp

Assuming this works properly, AD users should be restricted to SFTP sessions locked to the SFTP_Data dataset. You can then
(1) have a Domain Admin create user folders and set permissions,
or
(2)write a script/cronjob to perform ldap queries against your DC to enumerate members of SFTP_Users (the sAMAccountName of the user), then automatically create user folders and set permissions.

 

[berrick]

@anodos Thanks for the clarification.
That is what I have been attempting to do. However NOT on a separate dataset but a folder in the existing dataset.

I will create a new dataset but can you answer the following.

• Can I make a new dataset as all disk space is allocated to the current dataset?

Many thanks

 

[anodos]

@anodos Thanks for the clarification.
That is what I have been attempting to do. However NOT on a separate dataset but a folder in the existing dataset.

I will create a new dataset but can you answer the following.

• Can I make a new dataset as all disk space is allocated to the current dataset?

Many thanks

What do you mean by "all the space is allocated to the current dataset?"

 

[berrick]

OK, I have played some more with this and still haven't managed to get it to work.

After reading some post on tinternet, for my requirements, it seems using AD accounts are not the way forward as I can't find a way to restrict these accounts from ssh access whereas using Freenas user accounts I can, by setting shell in the user account properties to scponly.

Even when I try using a Freenas user account I still cant get this working.
As I only need one account to have this access I originally tried configuring the following by appending it to the end of the sshd_config file in /etc/ssh

Code:

Match User test1
		X11Forwarding no
		ChrootDirectory /mnt/<your pool>/SFTP_Data
		AllowTcpForwarding no
		ForceCommand internal-sftp

but changed to

Code:

Match Group test1
		X11Forwarding no
		ChrootDirectory /mnt/<your pool>/SFTP_Data
		AllowTcpForwarding no
		ForceCommand internal-sftp

As most info referred to groups.

After every change to this file I have stopped and started ssh service from the gui.

Leaving the chroot part to one side for now when the test user logs in they aren't being redirected to the folder specified in the sshd_config. This is where I would appreciate help?

I have read the most likely cause is permissions on folders but I think I have them set correctly?
Freenas volume manager

(Sorry image is attached. When I tried to include a link it just displayed a square with)

Permissions on Vol1 0775, owner is AD domain admin account

Permissions on Recording 0755, owner is root

Permissions on test1 0755, owner is test1