CopSSH: restricting users' access

by Vitaly Popovich [Published on 7 Nov. 2006 / Last Updated on 7 Nov. 2006]


If you tried to setup SSH server as it was described recently in this blog you might be interested on how to restrict users' permissions.
SSH server itself does not cater for access rights. Therefore, it has to be done using Windows file permissions settings.
If you use FAT file system you cant set permissions on it. Meanwhile NTFS allows setting detailed permissions for specific users and groups.
Anyway, I ve found a tip published in CopSSH FAQ to be very useful and simple implementation very restricted user environment.
Let me quote it here (taken from the official FAQ item):

Q:
How can I limit users' access to their home directories only ?

A:
I recommend to use NTFS permissions for that purpose.1. Make a local group.

net localgroup CopsshUsers /ADD

2. Deny access to this group at top level.

cacls c:\ /c /e /t /d CopsshUsers

3. Add Copssh user to the group above.

net localgroup CopsshUsers user /add

4. COPSSH user activation can then be used to allow access at home directory level.Repeat steps 3 and 4 for each user.

cacls c:\ /c /e /t /d CopsshUsers will change permissions on C:\ drive. If you want to restrict other drives/partitions you need to run the command again with reference to other drives, e.g. cacls d:\ /c /e /t /d CopsshUsers
I have found this FAQ item incomplete because if you run cacls utility as it is described on a drive which stores CopSSH install you wont be able to login. The reason is that you need to allow user to have access to CopSSH install directory.
Here are the steps how to do this:
1. Start Windows Explorer
2. Navigate to CopSSH folder (e.g. C:\Program Files\CopSSH\)
3. Right click on empty space or select all item in the folder and invoke properties page.
4. Go to Security Tab.
5. Click on CopsshUsers group and change permissions. You can remove all deny permissions and assign read & execute, List folder contents, read permissions. you might need to reset permissions on all child objects in Advanced permissions tab.

If you tried to setup SSH server as it was described recently in this blog you might be interested on how to restrict users' permissions.

SSH server itself does not cater for access rights. Therefore, it has to be done using Windows file permissions settings.

If you use FAT file system you cant set permissions on it. Meanwhile NTFS allows setting detailed permissions for specific users and groups.

Anyway, I ve found a tip published in CopSSH FAQ to be very useful and simple implementation very restricted user environment.

Let me quote it here (taken from the official FAQ item):

Q: How can I limit users' access to their home directories only ?

A: I recommend to use NTFS permissions for that purpose.

1. Make a local group.


net localgroup CopsshUsers /ADD


2. Deny access to this group at top level.


cacls c:\ /c /e /t /d CopsshUsers


3. Add Copssh user to the group above.


net localgroup CopsshUsers user /add


4. COPSSH user activation can then be used to allow access at home directory level.

Repeat steps 3 and 4 for each user.



cacls c:\ /c /e /t /d CopsshUsers will change permissions on C:\ drive. If you want to restrict other drives/partitions you need to run the command again with reference to other drives, e.g. cacls d:\ /c /e /t /d CopsshUsers


I have found this FAQ item incomplete because if you run cacls utility as it is described on a drive which stores CopSSH install you wont be able to login. The reason is that you need to allow user to have access to CopSSH install directory.

Here are the steps how to do this:

1. Start Windows Explorer

2. Navigate to CopSSH folder (e.g. C:\Program Files\CopSSH\)

3. Right click on empty space or select all item in the folder and invoke properties page.

4. Go to Security Tab.

5. Click on CopsshUsers group and change permissions. You can remove all deny permissions and assign read & execute, List folder contents, read permissions. you might need to reset permissions on all child objects in Advanced permissions tab.

6. By the way do not forget to change permissions on the home folder for the user as well because otherwise the user wont be able to do anything.


Technorati : , , ,
Del.icio.us : , , ,
Ice Rocket : , , ,

Add Review or Comment

Featured Links