BE

Loading...

#for #mkpasswd #Subsystem

SFTP - Windows Server 2016 install of Cygwin OpenSSH with User Restricted to Home Directory

47,331 views

Loading...

Loading...

Transcript

The interactive transcript could not be loaded.

Loading...

Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on 6 Sep 2015

Link to Cygwin Install Notes - https://goo.gl/mnbYB7

Updated to include better user Restriction Instructions locking user into their Home Directory in SFTP


Updated video on how to install SFTP on a Windows Server using Cygwin OpenSSH for Windows Server 2003, 2008, 2008R2, 2012, 2014, 2016

STEP #0 = Install Cygwin and OpenSSH Files
1) Install files as instructed in this video
2) Note always run all terminals as Administrator when doing the instructions below


STEP #1 = Create a Windows Users, Groups and User Directories
1) For Example, create windows users sftpuser01, sftpuser02, sftpuser03
2) For Example, create windows group sftp_group
3) Place users in the sftp_group
4) Under windows create the Folder C:\SFTP_ROOT
5) Create a folder for each user, in my case its
a) C:\SFTP_ROOT\sftpuser01
b) C:\SFTP_ROOT\sftpuser02
c) C:\SFTP_ROOT\sftpuser03 STEP #2 = Open Cygwin Terminal Shell install SSH
1) In the Cygwin Terminal Shell type
export CYGWIN='ntsec tty'
chmod 0755 /var
ssh-host-config

Answers to the questions when prompted for from ssh-host-config
===================================================================
a) should strictmodes be used? no
b) Should privilege separation be used? yes
c) New local account 'sshd'? yes
d) do you want to install sshd as a service? yes
e) Enter the value of CYGWIN daemon? sshd
f) do you want to use a different name? no
g) Create a new privileged user account 'cyg_server'? yes

STEP #3 = Create password and Group file
1) Create the Password File and Group File, in the CygWin Termina type
mkgroup [redirect output to] /etc/group #for local users mkpasswd -cl [redirect] /etc/passwd #for domain users
#mkpasswd -d [redirect] /etc/passwd chmod +rw /etc/group
chmod +rw /etc/passwd

STEP #4 = Edit the FSTAB File system table
1) Some FSTAB Entries for Your Reference
http://cygwin.com/cygwin-ug-net/using...

2) Use these entries
C:/cygwin64 / ntfs override,binary,noacl 0 0
C:/SFTP_ROOT /home ntfs override,binary,noacl 0 0
C:/cygwin64/bin /usr/bin ntfs override,binary,noacl 0 0
C:/cygwin64/lib /usr/lib ntfs override,binary,noacl 0 0
C:/cygwin64/etc/terminfo /usr/share/terminfo ntfs override,binary,noacl 0 0


STEP #5 = Change the nsswitch.conf file
1) This allows only users in the passwd file to login, otherwise if you
specify "db" it allows users in the Active Directory to log in also

If you want User Login Access to be soley Controlled by PASSWD file not Active Directory
edit the /etc/nsswitch.conf
/etc/nsswitch.conf
# Defaults:
# passwd: files db
# group: files db
# db_enum: cache builtin
# db_home: /home/%U
# db_shell: /bin/bash

passwd: files
group: files


STEP #6 = Now Start the Service
1) Start the Service
net stop sshd
net start sshd
netstat -a

2) Make sure to change the Firewall to allow for port 22

STEP #7 = Restrict users to home dir
0) Allow edit to sshd_config in cygwin terminal
chmod 777 /etc/sshd_config

1) Restrict users to home direct, edit the /etc/sshd_config add the lines below
a) comment out
#Subsystem sftp /usr/sbin/sftp-server b) paste below the subsystem and match group
Subsystem sftp internal-sftp

Match group sftp_group ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp

2) Edit the /etc/passwd file for the user "cyg_server" give it the root id of 0
this is necessary for restricting the user to their own home directory
cyg_server:*:0

3) Append these to /etc/fstab file, this will hid the /cygdrive and /dev folder after you have restricted the user to the /home directory
/dev /null none bind
none / cygdrive user 0 0

4) Go into Cygwin Terminal assign cyg_server /home this is required
for the restricting of the user to the home directory
chown cyg_server /home
chmod 0755 /home

5) Start the Service
net stop sshd
net start sshd

Loading...

Advertisement
When autoplay is enabled, a suggested video will automatically play next.

Up next


to add this to Watch Later

Add to

Loading playlists...