Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Apr 2007 11:37:00 -0500
From:      Derek Ragona <derek@computinginnovations.com>
To:        "Thiago Esteves de Oliveira" <thiago@lamce.coppe.ufrj.edu.br>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Chroot/jail mechanism in ssh and sftp connections
Message-ID:  <6.0.0.22.2.20070411112944.0257b920@mail.computinginnovations.com>
In-Reply-To: <56870.146.164.92.1.1176308436.squirrel@www.lamce.coppe.ufr j.br>
References:  <63726.146.164.92.1.1176218908.squirrel@www.lamce.coppe.ufrj.br> <6.0.0.22.2.20070410105843.02537e38@mail.computinginnovations.com> <56870.146.164.92.1.1176308436.squirrel@www.lamce.coppe.ufrj.br>

next in thread | previous in thread | raw e-mail | index | archive | help
At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>Thanks for the suggestion. I intend to study about this possible solution 
>but to save time I'd
>like to ask you some questions.
>
>With this software, can I control which accounts "from the unix passwd 
>file" will be able to log in?

Yes just set the shell to a non-login shell for users you don't want to 
give shell access.  Typically I set those user's shell to:
/usr/bin/false


>If there is a symbolic link in the home directory(jail/chroot) that point 
>to anywhere out of it,
>will the users be able to use this symlink? Will they go out from their 
>jail/chroot directory this
>way?

You can actually specify what ftp commands are allowed in the vsftpd.conf file
in one server I manage I have set:
cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT

But you'd probably want to remove any symlinks that shouldn't be there.


>Derek Ragona wrote:
> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
> >>Hello,
> >>I want to use the chroot/jail mechanism in user's ssh and sftp
> >>connections. I've read some
> >>tutorials and possible solutions to jail/chroot the users into their 
> own home directories. One
>is
> >>to install the openssh-portable(with chroot option turned on) from the 
> ports collection. I've
>installed the openssh-portable, but the jail/chroot mechanism didn't work. 
>I think it requires
>some configuration in its sshd_config file, but I'm not sure because I 
>have found nothing about
>jail/chroot in the openssh(sshd_config) man pages.
> >
> > I have implemented a similar setup using vsftpd from the ports.  It 
> works well for secure ftp
>when used with the filezilla client.  You can limit the ftp command in the 
>vsftpd configuration
>file so users cannot get out of their home directories, which chroots them 
>there.  You do need to
>add one thing to the accounts, which is to change their home directory in 
>/etc/passwd adding an
>additional dot.  For instance if a users home directory is:
> > /home/user
> >
> > You'd need to change it to:
> > /home/./user
> >
> > vsftpd is well documented and relatively easy to get setup and running.
> >
> >          -Derek
> >

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20070411112944.0257b920>