Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

SSH, SFTP Not following user's home directory

Open TomGood75 opened this issue 8 years ago • 15 comments

Good afternoon,

  • I'm new to using OpenSSH, so possibly this is user error, but it seems ssh/sftp are not following the home directory of the windows user. From what I've found, ChrootDirectory is not applicable in Win32, and the user home must be used. I created a local user of 'test2', set the home directory (in user config) to \test2home, and restarted SSHD.

If I connect to server through ssh or sftp (using user/pass), the default/home directory is c:\users\test2.

  • within SSH echo %HOME% returns c:\Users\test2, and echo %HOMEPATH% returns \Users\test2

If I log into the server locally and opening a cmd prompt, the default directory/home directory is c:\test2home.

  • within local windows cmd window echo %HOME% returns %HOME% and echo %HOMEPATH% returns \test2home.
  • So it seems to me windows is correctly handling the home path which was set, but Win32-OpenSSH is not. Due to needing to lock a remote user access down to a single 'empty' folder for sftp only for file exchanges, I need to use a 'nonstandard' home folder.
  • This is being used on Win Server 2008 R2.
  • Any pointers if I'm doing something wrong, or correcting the issue would be great!

Thanks, ~Tim

TomGood75 avatar Mar 10 '16 16:03 TomGood75

Is there any progress or update on this? Having this same issue in Server 2012.

epsilon-MrWalters avatar Apr 01 '16 22:04 epsilon-MrWalters

Same problem here, Windows Server 2012. A fix would be really appreciated.

dwings avatar Apr 19 '16 08:04 dwings

Is there any way to get this more attention?

epsilon-MrWalters avatar Apr 19 '16 16:04 epsilon-MrWalters

It's been a while. Is a fix for this forthcoming?

nathannoble avatar Sep 06 '16 14:09 nathannoble

I tried to update the User's Home directory in User Properties under ADUC as the following,

  1. Update to be using the Computer's C:\TestingFolder, But the folder is still server's C:\Users[username] after SFTP logged in.

  2. Update to be using network share as Z: with \FTPServer\FTPHome%username%. After clicking Apply button, a new folder created as the value of the username. But the folder is still server's C:\Users[username] after SFTP logged in

mvpkenlin avatar Mar 02 '17 03:03 mvpkenlin

I have the same problem. I also tried to use mklink to create a junction to link user's home directory (C:\Users[username]) to a different location (c:\sftproot[username] for example). For some reason it worked the first time when I connect, but subsequent tries landed me in C:\Windows\ for some reason...

kirahome-eng1 avatar Mar 02 '17 04:03 kirahome-eng1

Coming up on two years old, any progress? Does anyone have a work-around that works?

dkorsmo avatar Jan 10 '18 02:01 dkorsmo

Home directory of the user is pulled from registry Location: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\--USERSID-- Key: ProfileImagePath

Can you please add details on how exactly home directory is being configured for a local user?

manojampalam avatar Jan 25 '18 01:01 manojampalam

manojampalam - The Key:ProfileImagePath does not appear to correspond to setting a local users home folder in user properties (Profile tab, Home folder section, Local Path). The method to set a home folder in windows is documented below, I am uncertain how that relates to ProfileImagePath.

MS Documentation: https://support.microsoft.com/en-us/help/816313/how-to-assign-a-home-folder-to-a-user

or as i scripted it: NET USER %myuser% %mypasswd% /ADD /comment:"created: %timestamp%" /homedir:F:\FTPRoot\LocalUser%myuser% /passwordchg:no /fullname:%myfullname%

johnny-co avatar Jan 30 '18 22:01 johnny-co

OK Thanks. While I figure out how to programatically retrieve "HOMEPATH", I'm contemplating whether we should rely on it.

Currently, we store user's ssh configuration under user's profile, on the assumption that it would be deleted once the user account is gone (note that it will contain sensetive information like user's keys). Getting "homepath" on board will lead to confusion down the line, should ".ssh" be stored under user's profile directory or "homepath". What should "~" resolve to ? What about user's other libraries - pictures, videos... that are found under profile directory (by default).

Thoughts?

manojampalam avatar Jan 31 '18 18:01 manojampalam

I would model it exactly how FTP(S) User Isolation is configured now (via IIS), admins familiar with FTP can apply the same mental logic to ssh configuration. If the user ssh configuration (keys) are stored under the user profile's SID registry, that makes sense. I think tying it to a profile path (default or otherwise) may not be the best direction. SSH user arent signing into Windows desktop, which is when the profile dir's (pictures, videos, etc.) are created the first time a user signs into the desktop. SSH users are nothing more than remote FTP users looking to transfer files. I checked my current FTP(S) users, there is no profile directories created (they only FTP via winscp or filezilla). I simpler (I think) method would be to add a couple of SSH params. SSH_User_Isolation=Yes/No SSH_User_Physical_Dir=F:\FTPRoot
so a user 'JOHN' would be restricted to F:\FTPRoot\JOHN\

Or dont reinvent something that has been solved in a similar manner with cygwin, use that as a model to define your user isolation too, i think its defined in etc\passwd file which is their user configuration file. This too would help with understanding by using similar configs.

johnny-co avatar Feb 01 '18 16:02 johnny-co

Will take a look at how FTP in IIS works.

I want to point we would like to be as close as possible to how OpenSSH works on Unix. OpenSSH currently ends up creating the user's profile if user has logged on for the first time (via ssh). We ought to have a default user directory because that's what OpenSSH core code assumes and relies on. And we prefer this is something that automatically gets cleaned up when user account is deleted.

manojampalam avatar Feb 02 '18 19:02 manojampalam

Makes sense, I dont have a Unix background. Keep after it, I think a good implementation of user isolation is a crucial piece of Win32-SSH. Thanks for your hard work.

johnny-co avatar Feb 05 '18 15:02 johnny-co

Hi,

Shall I understand that the registry key mentioned "ProfileImagePath" is used only by OpenSSH and we can set it up to point to a different directory ?

ranoano avatar May 07 '19 05:05 ranoano

Not sure if this is the right place to mention, but it is inherently risky to use the %userprofile% for anything since there are long running windows 10 bugs about it creating "temporary user profiles" and using it indefinitely or at weird inexplicable times. (I can't even find explanations on the internet about when and why it makes temporary user profiles)

This terrible workaround probably only works for a single user scenario:

AuthorizedKeysFile	c:\Users\username\.ssh\authorized_keys
# too risky    AuthorizedKeysFile	.ssh\authorized_keys

In my case windows created a c:\Users\TEMP.hostname and started using it persistently

cdeadspine avatar Oct 31 '19 18:10 cdeadspine