Date: Wed, 11 Apr 2007 15:12:46 -0300 (BRT) From: "Thiago Esteves de Oliveira" <thiago@lamce.coppe.ufrj.edu.br> To: "Derek Ragona" <derek@computinginnovations.com> Cc: freebsd-questions@freebsd.org Subject: Re: Chroot/jail mechanism in ssh and sftp connections Message-ID: <55712.146.164.92.1.1176315166.squirrel@www.lamce.coppe.ufrj.br>
next in thread | raw e-mail | index | archive | help
Thanks, I think this is the solution for the sftp connections using jail/chroot mechanism. Derek Ragona wrote: > At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: >>Thanks for the suggestion. I intend to study about this possible solution >>but to save time I'd >>like to ask you some questions. >> >>With this software, can I control which accounts "from the unix passwd >>file" will be able to log in? > > Yes just set the shell to a non-login shell for users you don't want to > give shell access. Typically I set those user's shell to: > /usr/bin/false > > >>If there is a symbolic link in the home directory(jail/chroot) that points >>to anywhere out of it, >>will the users be able to use this symlink? Will they go out from their >>jail/chroot directory this >>way? > > You can actually specify what ftp commands are allowed in the vsftpd.conf file > in one server I manage I have set: > cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT > > But you'd probably want to remove any symlinks that shouldn't be there. > > >>Derek Ragona wrote: >> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >> >>Hello, >> >>I want to use the chroot/jail mechanism in user's ssh and sftp >> >>connections. I've read some >> >>tutorials and possible solutions to jail/chroot the users into their >> own home directories. One >>is >> >>to install the openssh-portable(with chroot option turned on) from the >> ports collection. I've >>installed the openssh-portable, but the jail/chroot mechanism didn't work. >>I think it requires >>some configuration in its sshd_config file, but I'm not sure because I >>have found nothing about >>jail/chroot in the openssh(sshd_config) man pages. >> > >> > I have implemented a similar setup using vsftpd from the ports. It >> works well for secure ftp >>when used with the filezilla client. You can limit the ftp command in the >>vsftpd configuration >>file so users cannot get out of their home directories, which chroots them >>there. You do need to >>add one thing to the accounts, which is to change their home directory in >>/etc/passwd adding an >>additional dot. For instance if a users home directory is: >> > /home/user >> > >> > You'd need to change it to: >> > /home/./user >> > >> > vsftpd is well documented and relatively easy to get setup and running. >> > >> > -Derek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55712.146.164.92.1.1176315166.squirrel>