SSH SFTP-Only Configuration & JailedShell?
- I have shell enabled for all my packages.
- I use cPanel jailshell by default (Tweak Settings) for all my users.
- I use the sshd_config file to further control SSH settings.
There are lines in the sshd_config file (that apply globally), and I wanted to ask you if this is cPanel's code, and what it actually does:
Subsystem sftp /usr/libexec/openssh/sftp-server
ForceCommand if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then exec /bin/bash -l; else logger -p local6.notice -t bash -i "$(printf "${SSHD_USER}:[${USER}]:[${PWD}]: ${SSH_ORIGINAL_COMMAND}")"; /bin/bash -c "${SSH_ORIGINAL_COMMAND}";fi
I know that the first line sets the SFTP server, but here the actual server is an external script. I would want to use the internal-sftp if possible, since it's built in and lighter, but I think the other line prevents it from functioning. I want to force SFTP globally on the server by adding:
Subsystem sftp internal-sftp
ForceCommand internal-sftp
I also want to keep the desired type of shell set in cPanel, which is JailedShell. Does this line of code have to do something with that?
-
Hey there! I can confirm this is cPanel specific code, which helps to ensure users stay within their jailed environment and logs all SSH commands to syslog for additional security auditing. I'm not sure we've ever had someone test with removing that, so I can't say for sure what may happen.
0 -
Is there at least a way to combine the one ForceCommand from cP and another one, like this:
ForceCommand internal-sftp
ForceCommand if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then exec /bin/bash -l; else logger -p local6.notice -t bash -i "$(printf "${SSHD_USER}:[${USER}]:[${PWD}]: ${SSH_ORIGINAL_COMMAND}")"; /bin/bash -c "${SSH_ORIGINAL_COMMAND}";fiThe thing is, if we want to keep cP ForceCommand used for logging, we can't have another one; only one ForceCommand is allowed. And it is a huge loss for configuring other things, just to be able to get proper logging.
0 -
You also said this code helps maintain the users' jailed environment. How come, I though cP used VirtFS for creating it, not SSH configuration?
0 -
While it does use VirtFS, that touches several areas.
I'm not entirely sure what you're trying to do or change with these settings. Is there a specific goal in mind or did you just want to know if that was something cPanel added?
0 -
95% of people don't use the shell (Terminal, TTY, Forwarding, Tunnel) at all, but 100% of them use SFTP. So I make my server by default SFTP-only, and allow shell for clients per request:
Subsystem sftp internal-sftp
# Special client's shell
Match User root,client1,!client2
# Shell allowing code
# Force SFTP globally except for special clients
Match User *,!root,!client1,!client2
ForceCommand internal-sftpThis was your default setup:Subsystem sftp /usr/libexec/openssh/sftp-server
ForceCommand if [[ -z "${SSH_ORIGINAL_COMMAND}" ]]; then exec /bin/bash -l; else logger -p local6.notice -t bash -i "$(printf "${SSHD_USER}:[${USER}]:[${PWD}]: ${SSH_ORIGINAL_COMMAND}")"; /bin/bash -c "${SSH_ORIGINAL_COMMAND}";fiYour code uses an external script for the SFTP server and logs everything to syslog facility local6.notice, even though I don't know what else it does.
My code works fine and uses an internal SFTP built-in server, which is lighter. I'm just asking how to preserve the benefits of your code as well.
Can you please run my code with the staff, just to make sure I'm not wrecking something?0 -
Nope, you're golden - if you're using the internal sFTP server you're good to go!
1 -
Oh, that's great to hear! :D
1
Please sign in to leave a comment.
Comments
7 comments