Start a new topic

Feature Request: Allow SFTP to change user before server launch

It'd be nice if the SFTP browser allowed us to change our user prior to launching the file transfer session. Similar functionality can be observed in WinSCP: https://winscp.net/eng/docs/faq_su.


This could probably be implemented by simply allowing the user to specify the command to be run server-side to start the FTP server.


1 person likes this idea

Stefan,


Somebody already posted about it 11 months ago here actually. I agree with you Timothy. I have open WinSCP separately to do this still. Can we implement a way to switch the user like is shown in the attachment?

shell.png
(4.28 KB)

Hi,


I actually contacted the 3rd party vendor to implement the requested feature and I haven't heard back from them yet. For my understanding, can you outline the use case and the workflow in WinSCP which describes how this feature works exactly and what it's supposed to do?


Or asked differently: if we can provide a way to execute a custom command right after the connection has been established, would that be sufficient? Do we need to pass in replacement tokens? Do we need to execute that command on demand or automatically after the session has been established?


Thank you,

Stefan


1 person likes this

Hey Stefan,


The basic use case is pretty much the standard for sudo; accessing files/dirs that your account doesn't explicitly have access to.


As for workflow...


Take this with a grain of salt; I don't know exactly how sftp works internally.


What think is happening, is that WinSCP uses an equivalent command to *nix's

sftp [...] -s [user command] [...]

 (sftp man) to specify the subsystem for the server's sshd. I don't think that simply running the command after the session is already established would work, given that the server-side daemon will have already been called. The passing should probably be done automatically once set in a connection's options, rather than prompting the user each time (an ad-hoc option would be nice, in case you for some reason don't want to always connect as root ;) ).


 - Tim

I've now implemented the Custom Command support for SFTP in the beta (will be available in a couple of days - check the release notes). I tested the following command on my qnap NAS:

sudp -s /path-to-sftp-server


I hope you can test this when the next beta is released and provide feedback.


2 people like this
Right on, I'll play with it some once I see the beta.

Hello,


I'm looking forward to trying this in the next release as well. 


I did want to comment though and mention that I tried using the custom commands for SFTP on WinSCP for example but I could never get them working to sudo to root for example. Than again maybe I just don't have a full understanding of my environment at my work to make this work correctly.


At my work I have always used WinSCP SCP protocol and changed the shell to "sudo su -". This page talks more about it here: https://winscp.net/eng/docs/ui_login_scp#shell This always works on servers I try it on. Anyway to implement this shell like function in the SCP protocol in Royal and have a GUI like SFTP does as well?

SCP GUIs (as seen in WinSCP) are somewhat smoke and mirrors: https://en.m.wikipedia.org/wiki/Secure_copy Enabling SCP in RoyalTS would likely be entirely separate from SFTP functionality. As an aside, you may need to have passwordless sudo permission to the sftp server on the host device. There's some direction for this in the WinSCP documentation if I remember correctly.

I just uploaded the latest beta version with the custom command support:

https://www.royalapplications.com/ts/win/features-beta


1 person likes this

Hello all,


I recently have tried it out and I can say it works great as intended. Thank you. I will also say that my previous post of it not working when I tried it on other programs I was just doing it incorrectly.


I have some ideas/feedback thus far:


At my work we have different linux OS's where the sftp-server lives.


Example the difference between OEL and Ubuntu


OEL

sudo su -c /usr/libexec/openssh/sftp-server

 

Ubuntu

sudo su -c /usr/lib/openssh/sftp-server


I have to change the custom command for each different OS to make it work. However looking into how WinSCP does it and other sftp things, on most linux OS's there lives a file called sshd_config in /etc/ssh/ at that tells the system where the default sftp-server like so:


# override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server


This is how the setting "Default" in WinSCP knows where to look for that executable.

From their website in more details:


SFTP Requirements

For SFTP, the only requirement beyond the server requirements above is to run SFTP on the server. It is best to run it as an SSH-2 subsystem. If you select SFTP-only on the Login dialog and the SFTP subsystem is not found, WinSCP will try to find the SFTP server in some common directories (/usr/lib/sftp-server, /usr/local/lib/sftp-server, etc.). This way, it is possible to use SFTP even with SSH-1, which does not support subsystems.

I have tried running something like this in Royal Custom Command:

sudo su -c 'grep sftp-server /etc/ssh/sshd_config | awk "{print $3}"'


But I think I have the syntax wrong anyways, (Any ideas to make it work like I intend?), and Royal doesn't like it. Regardless can we figure out a way to implement something like this along with it? In my use case I would always try to go to root like in my attempt above.


Sorry this got long, but I hope I got the point across.


I'm afraid this is not an area where I can help. I don't have the knowledge to comment on that. All I can do is to expose the setting I get from the 3rd party vendor. My contact at rebex also mentioned that a custom command could be tricky to set up. I now know what he means ;)


I'm not sure how I can further help here. Maybe somebody else can provide more information on the issue.

No problem I understand. I was able to figure it out.


For an update for anybody that is interested in what I'm trying to do, I got the commands working.


Simple Command : (Mostly Works for everything that doesn't have internal-sftp in it's /etc/ssh/sshd_config) Tested on: (OEL, Most SLES, RHEL).

client=$(sudo grep sftp-server /etc/ssh/sshd_config | awk '{print $3}'); sudo su -c $client

 

Advanced Command (What I'm using now): (Works for everything included above and everything I've tried so far that does have internal-sftp in it's /etc/ssh/sshd_config) Tested on: (Some SLES, AIX, Solaris(Sun))


internalCheck=$(sudo grep Subsystem /etc/ssh/sshd_config | awk '{print $3}'); if [[ $internalCheck = "internal-sftp" ]]; then sudo /usr/lib/ssh/sftp-server||/usr/lib64/ssh/sftp-server; else sudo su -c $internalCheck; fi


If you ever find anything not in /usr/lib/ssh/sftp-server||/usr/lib64/ssh/sftp-server just add another || and add it to that part.


Maybe will be helpful for anybody else. Thanks again Stefan for reaching out to the vendor and enabling this. I now will not have to open WinSCP anymore, as it's all embedded in Royal TS :)



1 person likes this

Stefan,


+1 for working. A point of interest; for the OpenSSH SFTP subsystem on Ubuntu, I needed to drop the '-s' flag, and just use

sudo /path/to/subsystem

 as my custom command.

Great to hear the option works for you all and also thanks for sharing your experience. This is very helpful for other users, I'm sure!

Login or Signup to post a comment