Date: Wed, 19 May 2004 22:30:25 -0500 From: Dan Rue <drue@therub.org> To: Remko Lodder <remko@elvandar.org> Cc: "David E. Meier" <dev@eth0.ch> Subject: Re: [Freebsd-security] Re: Multi-User Security Message-ID: <20040520033024.GA26640@therub.org> In-Reply-To: <OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org> References: <20040518160517.GA10067@therub.org> <OPEPILILPLAKPFCNKOKAGEGHCBAA.remko@elvandar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
*Cough *Cough, On Tue, May 18, 2004 at 06:08:52PM +0200, Remko Lodder wrote: > Ahem, > > D> You generally would like to avoid giving people shell (ssh) access if > D> you can avoid it. If you must give shell access, it is best to set up a > D> jail. > > D> However, if you're just doing backup/file access - shell access isn't > D> necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use > D> that to chroot users. You can do sftp (without ssh shell access), but > D> that's trickier to set up. > > real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny > shell that only permits scp and > sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/ > /www.sublimation.org/scponly/ > But not that hard.... ;-) You obviously havn't tried to chroot scponly users.. _that's_ the tricky part. Especially if you want it to scale up beyond a handful of users. If i'm wrong - fill me in i'd love to hear how to do it. Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040520033024.GA26640>