Einen Überblick über das Administrationstool KeyHelp der Keyweb AG und dessen Download gibt es auf https://www.keyhelp.de

Dieses Forum soll es interessierten Benutzern ermöglichen, sich über KeyHelp auszutauschen und Hilfe bei Problemen zu finden.

Zusätzliche SSH/SFTP Nutzer

Welche Funktionen soll KeyHelp noch erhalten? Wir haben ein offenes Ohr.
Benutzeravatar
Demon
Beiträge: 18
Registriert: Di 14. Jul 2020, 19:33

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von Demon »

Anscheinend mache ich wirklich was falsch, habe es gestern noch mal versucht aber, daran immer noch gescheitert.
Benutzeravatar
OlliTheDarkness
Beiträge: 909
Registriert: Di 14. Aug 2018, 16:41
Wohnort: Essen (NRW)

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von OlliTheDarkness »

Eigendlich war ich mit dem Thema hier durch, aber ihr müsst ja selber wissen was ihr tut.
Persöhnlich würde ich warten, bis es ins Panel integriert wird.

Hinweiß: Auf eure eigene Verantwortung und ohne jegliche Garantie auf alles !

/etc/proftpd/proftpd.conf
Hinter den Anonymus Block

Code: Alles auswählen

<IfModule mod_sftp.c>
  SFTPEngine on
  SFTPLog /var/log/proftpd/sftp.log
  SFTPAuthMethods password # keyboard-interactive

  SFTPHostKey /etc/proftpd/ssh_host_rsa_key

# SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys 

  SFTPCompression delayed

</IfModule>

Dann noch den HostKey entweder neu erstellen oder den des SSH Servers nutzen

Code: Alles auswählen

cp /etc/ssh/ssh_host_rsa_key /etc/proftpd/ssh_host_rsa_key
Nurnoch den FTP neu starten und glücklich sein.

Nebeninfo
Wenn ihr den Server nicht nur im SFTP sondern auch im normalen FTP betreiben wollt , sollte das hier helfen.

Und nochmal der Hinweiß ( !!! )
ALLES AUF EURE EIGENE VERANTWORTUNG !!!!
Zerschießt ihr euch irgendwas oder werdet durch irgendwelche Sicherheitsprobs geknackt = EUER PROBLEM !

Danke und Waldmannsheil (Info für Mod: https://de.wikipedia.org/wiki/Waidmannsheil - Also nichts zum Modden 8-) )

Das dunkle Olli war´s.
Benutzeravatar
Demon
Beiträge: 18
Registriert: Di 14. Jul 2020, 19:33

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von Demon »

Olli, das wäre jetzt nicht notwendig gewesen aber.

Danke
Benutzeravatar
OlliTheDarkness
Beiträge: 909
Registriert: Di 14. Aug 2018, 16:41
Wohnort: Essen (NRW)

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von OlliTheDarkness »

Demon hat geschrieben:
Sa 1. Aug 2020, 18:32
Olli, das wäre jetzt nicht notwendig gewesen aber.

Danke
Passt schon, das ist hier ja bald nen endlos Thema , von daher , lieber ne Übergangslösung posten bevor es garkeine Ruhe gibt.

Muss ja jeder selbst wissen was er tut, hauptsache ich bin aus der Verantwortung :idea:
Benutzeravatar
Demon
Beiträge: 18
Registriert: Di 14. Jul 2020, 19:33

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von Demon »

Naja, spätestens dann. Wenn Alexander seine eigene Lösung gefunden hat und in KeyHelp implemtiert hat, wäre Ruhe :D

Mein Problem ist gerade:
Will ich normales FTP noch dazu, klappt SFTP wieder nicht..
Und ich habe mich genau an dem Link, was du zusätzlich gepostet hast gehalten.
Benutzeravatar
OlliTheDarkness
Beiträge: 909
Registriert: Di 14. Aug 2018, 16:41
Wohnort: Essen (NRW)

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von OlliTheDarkness »

Demon hat geschrieben:
Sa 1. Aug 2020, 20:19
Naja, spätestens dann. Wenn Alexander seine eigene Lösung gefunden hat und in KeyHelp implemtiert hat, wäre Ruhe :D

Mein Problem ist gerade:
Will ich normales FTP noch dazu, klappt SFTP wieder nicht..
Und ich habe mich genau an dem Link, was du zusätzlich gepostet hast gehalten.
Purer Verdacht, aber schau mal service proftpd status ob dich da was nicht übersehbares rotes anspringt.

Vermutung: Falsche Rechte für die Key Datei. (/etc/proftpd/ssh_host_rsa_key muss 0600 Rechte haben, nicht 700, 744, 755 oder gar 777 sondern exact 600)
Benutzeravatar
Demon
Beiträge: 18
Registriert: Di 14. Jul 2020, 19:33

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von Demon »

Ich schau mal, sobald ich wieder Zuhause bin.

Edit:
Ich habe jetzt eben mal nachgeschaut, Rechte sind 600.


proftpd.conf:

Code: Alles auswählen

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                     on
# If set on you can experience a longer connection delay in many cases.
IdentLookups                off

ServerName                  "server1.domain.de FTP-Server"
ServerType                  standalone
DeferWelcome                off

MultilineRFC2228            on
DefaultServer               on
ShowSymlinks                on

TimeoutNoTransfer           600
TimeoutStalled              600
TimeoutIdle                 1200

DisplayLogin                welcome.msg
DisplayChdir                .message true
ListOptions                 "-l"

DenyFilter                  \*.*/

# Use this to jail all users in their homes
DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell         off

# Port 21 is the standard FTP port.
#Port                        21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts                30000 30500

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress         1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                30

# Set the user and group that the server normally runs at.
User                        proftpd
Group                       nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                   022  022
# Normally, we want files to be overwriteable.
AllowOverwrite              on
AllowRetrieveRestart        on
AllowStoreRestart           on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd          off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder                 mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile               off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#

<VirtualHost 0.0.0.0>
    Port                                    210
    TLSEngine                               on
</VirtualHost>

<VirtualHost 0.0.0.0>
    Port                                    214
    TLSOptions                              UseImplicitSSL
</VirtualHost>

Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User                ftp
#   Group               nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias           anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser on ftp
#   DirFakeGroup on ftp
#
#   RequireValidShell   off
#
#   # Limit the maximum number of anonymous logins
#   MaxClients          10
#
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin        welcome.msg
#   DisplayChdir        .message
#
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
#
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask           022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
#
# </Anonymous>

<IfModule mod_sftp.c>
    <VirtualHost 0.0.0.0>
        Port                                    211
        SFTPEngine                              on
        SFTPLog                                 /var/log/proftpd/sftp.log
        SFTPAuthMethods password # keyboard-interactive
        SFTPHostKey                      /etc/proftpd/ssh_host_rsa_key
#        SFTPAuthorizedUserKeys  file:../etc/ssh/authorized_keys
        SFTPCompression                 delayed
#        MaxLoginAttempts                6
    </VirtualHost>
</IfModule>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

# Limit KeyHelp usergroup
<Limit LOGIN>
    DenyGroup OR keyhelp_noftp keyhelp_suspended
</Limit>
Edit2:
Trotz dieser Config wird sogar der Port dennoch unter nmap localhost angezeigt

sftp.log:

Code: Alles auswählen

2020-08-01 21:36:40,133 mod_sftp/1.0.0[785]: sent server version 'SSH-2.0-mod_sftp'
2020-08-01 21:36:40,165 mod_sftp/1.0.0[785]: received client version 'SSH-2.0-WinSCP_release_5.17.7'
2020-08-01 21:36:40,165 mod_sftp/1.0.0[785]: handling connection from SSH2 client 'WinSCP_release_5.17.7'
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session key exchange: ecdh-sha2-nistp256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session server hostkey: ssh-rsa
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session client-to-server encryption: aes256-ctr
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session server-to-client encryption: aes256-ctr
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session client-to-server MAC: hmac-sha2-256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session server-to-client MAC: hmac-sha2-256
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session client-to-server compression: none
2020-08-01 21:36:40,200 mod_sftp/1.0.0[785]:  + Session server-to-client compression: none
2020-08-01 21:36:40,397 mod_sftp/1.0.0[785]: sending acceptable userauth methods: password
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: client sent SSH_MSG_IGNORE message (99 bytes)
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: no account for user 'user1_ftp1' found
2020-08-01 21:36:40,436 mod_sftp/1.0.0[785]: sending userauth failure; remaining userauth methods: password
2020-08-01 21:36:42,590 mod_sftp/1.0.0[785]: disconnecting client (received EOF)
Edit3:
Ich habe es hinbekommen ;)
Sogar, dass dieser generell nur in seinem angegebenen Ordner bleibt :D
Benutzeravatar
Demon
Beiträge: 18
Registriert: Di 14. Jul 2020, 19:33

Re: Zusätzliche SSH/SFTP Nutzer

Beitrag von Demon »

Lösung, gemäß meiner proftpd.conf:

Code: Alles auswählen

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes, reload proftpd after modifications, if
# it runs in daemon mode. It is not required in inetd/xinetd mode.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                     on
# If set on you can experience a longer connection delay in many cases.
IdentLookups                off

ServerName                  "server1.domain.de FTP-Server"
ServerType                  standalone
DeferWelcome                off

MultilineRFC2228            on
DefaultServer               on
ShowSymlinks                on

TimeoutNoTransfer           600
TimeoutStalled              600
TimeoutIdle                 1200

DisplayLogin                welcome.msg
DisplayChdir                .message true
ListOptions                 "-l"

DenyFilter                  \*.*/

# Use this to jail all users in their homes
DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell         off

# Port 21 is the standard FTP port.
Port                        21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts                30000 30500

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress         1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                30

# Set the user and group that the server normally runs at.
User                        proftpd
Group                       nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                   022  022
# Normally, we want files to be overwriteable.
AllowOverwrite              on
AllowRetrieveRestart        on
AllowStoreRestart           on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd          off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder                 mod_auth_pam.c* mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile               off

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

# Logging onto /var/log/lastlog is enabled but set to off by default
#UseLastlog on

# In order to keep log file dates consistent after chroot, use timezone info
# from /etc/localtime.  If this is not set, and proftpd is configured to
# chroot (e.g. DefaultRoot or <Anonymous>), it will use the non-daylight
# savings timezone regardless of whether DST is in effect.
#SetEnv TZ :/etc/localtime

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://www.securityfocus.com/bid/11430/discuss
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#

Include /etc/proftpd/tls.conf

#
# Useful to keep VirtualHost/VirtualRoot directives separated
#
#Include /etc/proftpd/virtuals.con

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
#   User                ftp
#   Group               nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias           anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser on ftp
#   DirFakeGroup on ftp
#
#   RequireValidShell   off
#
#   # Limit the maximum number of anonymous logins
#   MaxClients          10
#
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin        welcome.msg
#   DisplayChdir        .message
#
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
#
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask           022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
#
# </Anonymous>

<IfModule mod_sftp.c>
    <VirtualHost 0.0.0.0>
        Port                                    211
        SFTPEngine                              on
        SFTPLog                                 /var/log/proftpd/sftp.log
        SFTPAuthMethods password # keyboard-interactive
        SFTPHostKey                      /etc/proftpd/ssh_host_rsa_key
#        SFTPAuthorizedUserKeys  file:../etc/ssh/authorized_keys
        SFTPCompression                 delayed
        Include /etc/proftpd/sql.conf
        DefaultRoot                     ~
    </VirtualHost>
</IfModule>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

# Limit KeyHelp usergroup
<Limit LOGIN>
    DenyGroup OR keyhelp_noftp keyhelp_suspended
</Limit>
Alexander:
Vielleicht, kann man es so eventuell ungefähr machen.
Warum "ungefähr"? Weil da sicherlich noch weitere Anpassungen notwendig ist, zumindestens konnte ich mit Hilfe von Olli eine eigene Lösung anbieten.

Dafür nochmal danke!
Antworten