jdmayfield's questions

Hopefully not a dup, but can't find an answer to this one... I found this, which on the surface seems to be the same, but is very old and the only answer in it does not answer the actual question: Set Users as chrooted for sftp, but allow user to login in SSH

I have successfully setup a working ChrootDirectory environment via sftp for users in group 'sftp_users'. It works well, all the proper perms and such, restricting access to only sftp, and they can rw in their subdirectory(s) inside the ChrootDirectory. This is great for non-privelaged users, disallowing ssh access and only allowing rw inside their subfolder(s) within the ChrootDirectory.

I would like to have slightly more privelaged users who are still able to use ssh normally, however when logging in via sftp will then have the ChrootDirectory environment. This is less of a security issue, as they are considered privelaged and obvi can surf around the file-system in ssh within their normal user permissions. Problem is, I am not seeing a way to Chroot them when they login under sftp without preventing ssh login. This is more for standardization and convienience than anything else, so when they sftp they just arrive at their Chrooted location like the sftp-only users.

I thought this would work if I left their shell as the default (not /bin/false or nologin). Unfortunately, when they are in the sftp_only group, it will not allow them to ssh in at all, only sftp. Is there a workaround for this, other than having two separate accounts-- one added to 'sftp_users' and one not in that group? So far, all I can find is documentation on restricting the sftp Chroot and simultaneously disallowing ssh if they are in that group.

Example user is 'test'. 'test' is in the sftp_users group, and can therefore login via sftp and be Chrooted to his specified folder ('/sftp/test') and read or write to his home folder bind-mounted at '/sftp/test/home'. This all works. But even if his shell is still set in /etc/passwd to /bin/bash, 'test' cannot login via ssh if added to the sftp_users group. Remove membership in that group and he can do both, but then not Chrooted under sftp.

Users not in the group 'sftp_users' can still login via ssh or sftp, but are not Chrooted under sftp.

Is there a way to Match which protocol is used, and/or maybe set an additional Match for a different group? I'm only looking for the chroot when they login via sftp. The non-chroot via ssh is fine for these users.

Following is my sshd_config:

Port XXXX
#ListenAddress ::
#ListenAddress 0.0.0.0

Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

PubkeyAuthentication yes

IgnoreRhosts yes
HostbasedAuthentication no

PermitEmptyPasswords no

ChallengeResponseAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes

ClientAliveCountMax 10
ClientAliveInterval 3600
TCPKeepAlive no

#Banner /etc/issue.net

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server -u 0027

UsePAM yes
PasswordAuthentication yes



Match Group sftp_users
  ChrootDirectory /sftp/%u
  ForceCommand internal-sftp -u 0027
  X11Forwarding no
  AllowTcpForwarding no
  PasswordAuthentication yes

In reference to the recently publicized Exim vulnerability CVE-2019-10149, I am running supposedly patched Exim v. 4.90_1 (built June 4th, 2019) on Ubuntu 18.04.2 LTS.

Although it is supposedly patched, according to Canonical, I'm getting a lot of exploit attempt that are ending up as Frozen messages.

This is somewhat worrysome.

Is there a way to reject messages for recipients starting with a '$'?

And how could I test to be sure these exploits aren't working?

I can't seem to get Prayer Webmail to run an https port. I'm running Exim4+Dovecot on Ubuntu 16.04.2.

It works fine on the unsecure http port-- except that it's unsecure (I'm using port 8888 for http, and port 8843 for https).

The port is open in the firewall. If I set up a socket on on 8843 I can connect to it, testing the firewall.

I've tried several different ports, so it's not that.

On running, I get no obvious errors. I followed all the docs I can find, and it looks correct to me in the config file, but it will only open the http port. If I disable the http port in prayer.cf it won't run as it says there or no ports configured to open.

It is able to load the .key and .crt files just fine (it will close with error if I change something so it can't).

Anybody know how to get it to run on https?

Here's my prayer.cf config:

prefix      = "/usr/share/prayer"
var_prefix  = "/var/run/prayer"

prayer_user           = "prayer"
prayer_group          = "nogroup"

prayer_background     = TRUE

file_perms            = 0640

directory_perms       = 0750





imapd_user_map      = ""

imapd_server        = localhost/notls

prefs_folder_name   = ".prayer"



accountd_user_map   = ""



accountd_timeout    = 2m


sieved_timeout      = 9m

sieve_maxsize       = 32k









hostname         = "example.com"

use_http_port    8888
use_https_port   8843

#ssl_default_port = 8843



fatal_dump_core = FALSE
log_debug  =  TRUE

fix_client_ipaddr = FALSE




limit_vm = 150m
recips_max_msg     = 250
recips_max_session = 1000
sending_allow_dir = "${var_prefix}/sending/allow"
sending_block_dir = "${var_prefix}/sending/block"



http_max_method_size = 32k
http_max_hdr_size    = 64k

http_max_body_size   = 15m

http_min_servers     = 4
http_max_servers     = 16
http_max_connections = 20

http_cookie_use_port = FALSE

http_timeout_idle    = 10s
http_timeout_icons   = 60s
http_timeout_session = 5m
icon_expire_timeout  = 7d





ssl_cert_file       = "/etc/prayer/server.crt"
ssl_privatekey_file = "/etc/prayer/server.key"

ssl_rsakey_lifespan = 15m
ssl_rsakey_freshen  = 15m

ssl_cipher_list = "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXP"

ssl_server_preference = T




session_idle_time       = 10m
session_timeout         = 30m
session_timeout_compose = 2h

stream_checkpoint       = T
stream_ping_interval    = 20m
stream_misc_timeout = 15m 

log_ping_interval  = 10m
db_ping_interval   = 30m

login_template      = "login"
login_banner        = "WebMAIL"
login_service_name  = "example.com"

list_addr_maxlen    = 30
list_subject_maxlen = 30
change_max_folders  = 20

use_ispell_language  british   "British English"
use_ispell_language  american  "American English"

draft_att_single_max = 10M
draft_att_total_max  = 10M

fix_from_address = FALSE

spam_purge_name = "spam_purge"
spam_purge_prefix = "# Spam Purge Timeout:"
spam_purge_timeout = 60


sendmail_path       = /usr/lib/sendmail


ispell_path         = /usr/bin/ispell





ssl_encouraged      = FALSE
ssl_redirect        = FALSE
ssl_required        = FALSE

icon_dir            = "$prefix/icons"
static_dir          = "$prefix/static"
bin_dir             = "/usr/sbin"
log_dir             = "/var/log/prayer"
lock_dir            = "$var_prefix"
socket_dir          = "$var_prefix/sockets"
socket_split_dir    = TRUE
init_socket_name    = init
ssl_session_dir     = "$var_prefix/ssl_scache"
tmp_dir             = "$var_prefix/tmp"
pid_dir             = "$var_prefix"




template_path = "/etc/prayer/templates"
template_set  = "old"
template_use_compiled = TRUE

template old  "Traditional"
template cam  "Cambridge House Style"


theme blue description           "Web Safe Blue"
theme blue fgcolor               "#000000"       # Black
theme blue fgcolor_link          "#0000ff"       # Dark    Blue
theme blue bgcolor               "#ccffff"       # Light   Blue 
theme blue bgcolor_banner        "#66ffff"       # Darkish Blue
theme blue bgcolor_row1          "#ccffff"       # Light   Blue
theme blue bgcolor_row2          "#99ffff"       # Middle  Blue
theme blue bgcolor_status        "#ffffcc"       # Yellow
theme blue bgcolor_status_none   "#ccffcc"       # Green
theme blue fgcolor_quote1        "#800000"       # Brick Red
theme blue fgcolor_quote2        "#008000"       # Green
theme blue fgcolor_quote3        "#000080"       # Blue
theme blue fgcolor_quote4        "#ff0000"       # Orange

theme green description          "Web Safe Green"
theme green fgcolor              "#000000"       # Black
theme green fgcolor_link         "#0000ff"       # Dark    Blue
theme green bgcolor              "#ccffcc"       # Light   Green
theme green bgcolor_banner       "#99ff99"       # Middle  Green
theme green bgcolor_row1         "#ccffcc"       # Light   Green
theme green bgcolor_row2         "#99ff99"       # Middle  Green
theme green bgcolor_status       "#ffffcc"       # Yellow
theme green bgcolor_status_none  "#ccffff"       # Light   Blue
theme green fgcolor_quote1       "#800000"       # Brick Red
theme green fgcolor_quote2       "#008000"       # Green
theme green fgcolor_quote3       "#000080"       # Blue
theme green fgcolor_quote4       "#ff0000"       # Orange

theme yellow description         "Web Safe Yellow"
theme yellow fgcolor             "#000000"       # Black
theme yellow fgcolor_link        "#0000ff"       # Dark   Blue
theme yellow bgcolor             "#ffffcc"       # Light  Yellow
theme yellow bgcolor_banner      "#ffff66"       # Middle Yellow
theme yellow bgcolor_row1        "#ffffcc"       # Light  Yellow
theme yellow bgcolor_row2        "#ffff66"       # Middle Yellow
theme yellow bgcolor_status      "#ccffff"       # Light  Blue
theme yellow bgcolor_status_none "#ccffcc"       # Green
theme yellow fgcolor_quote1      "#800000"       # Brick Red
theme yellow fgcolor_quote2      "#008000"       # Green
theme yellow fgcolor_quote3      "#000080"       # Blue
theme yellow fgcolor_quote4      "#ff0000"       # Orange

theme gray description          "Shades of Gray" # NB: Not Web safe!
theme gray fgcolor              "#000000"        # Black
theme gray fgcolor_link         "#0000ff"        # Dark   Blue
theme gray bgcolor              "#eeeeee"        # Light  gray
theme gray bgcolor_banner       "#cccccc"        # Dark   gray
theme gray bgcolor_row1         "#eeeeee"        # Light  gray
theme gray bgcolor_row2         "#dddddd"        # Middle gray
theme gray bgcolor_status       "#ffffcc"        # Yellow
theme gray bgcolor_status_none  "#ccffcc"        # Green
theme gray fgcolor_quote1        "#800000"       # Brick Red
theme gray fgcolor_quote2        "#008000"       # Green
theme gray fgcolor_quote3        "#000080"       # Blue
theme gray fgcolor_quote4        "#ff0000"       # Orange

theme high description          "High Constrast" # Yuck!
theme high fgcolor              "#000000"        # Black
theme high fgcolor_link         "#0000ff"        # Dark  Blue
theme high bgcolor              "#ffffff"        # Very, very white
theme high bgcolor_banner       "#cccccc"        # Dark gray
theme high bgcolor_row1         "#ffffff"        # Very, very white
theme high bgcolor_row2         "#cccccc"        # Dark gray
theme high bgcolor_status       "#ffffcc"        # Yellow
theme high bgcolor_status_none  "#ccffcc"        # Green
theme high fgcolor_quote1        "#800000"       # Brick Red
theme high fgcolor_quote2        "#008000"       # Green
theme high fgcolor_quote3        "#000080"       # Blue
theme high fgcolor_quote4        "#ff0000"       # Orange

theme help description          "Default Help Text theme"
theme help fgcolor              "#000000"        # Black
theme help fgcolor_link         "#0000ff"        # Dark Blue
theme help bgcolor              "#ffffcc"        # Yellow
theme help bgcolor_banner       "#66ffff"        # Darkish Blue
theme help bgcolor_row1         "#ccffff"        # Light   Blue
theme help bgcolor_row2         "#99ffff"        # Middle  Blue
theme help bgcolor_status       "#ccffff"        # Light   Blue
theme help bgcolor_status_none  "#ccffcc"        # Green
theme help fgcolor_quote1        "#800000"       # Brick Red
theme help fgcolor_quote2        "#008000"       # Green
theme help fgcolor_quote3        "#000080"       # Blue
theme help fgcolor_quote4        "#ff0000"       # Orange

theme_default_main  = gray
theme_default_help  = help



confirm_logout      = TRUE
confirm_expunge     = FALSE
confirm_rm          = TRUE
expunge_on_exit     = FALSE

msgs_per_page       = 10
msgs_per_page_max   = 50
msgs_per_page_min   = 4

abook_per_page      = 10
abook_per_page_max  = 50
abook_per_page_min  = 4

suppress_dotfiles   = TRUE

maildir             = ""

use_namespace       = TRUE

personal_hierarchy  = ""

hiersep             = "/"

dualuse             = FALSE

postponed_folder    = "Drafts"
sent_mail_folder    = "Sent"


ispell_language     = "american"

small_cols          = 80
small_rows          = 14
large_cols          = 80
large_rows          = 24

sort_mode           = ARRIVAL

sort_reverse        = FALSE

abook_sort_mode     = ORDERED

abook_sort_reverse        = FALSE

line_wrap_len       = 76

line_wrap_advanced  = FALSE

line_wrap_on_reply  = TRUE

line_wrap_on_spell  = TRUE

line_wrap_on_send   = TRUE

use_sent_mail       = TRUE

use_mark_persist    = FALSE

use_search_zoom     = TRUE

use_agg_unmark      = TRUE

use_icons           = TRUE

use_tail_banner     = TRUE

use_cookie          = TRUE

use_substitution    = FALSE

use_http_1_1        = TRUE

use_pipelining      = TRUE

use_persist         = TRUE

use_short           = TRUE

use_gzip            = TRUE

html_inline         = TRUE

html_remote_images  = FALSE

html_inline_auto    = TRUE

preserve_mimetype   = TRUE