From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 18:12:48 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64EA416A401 for ; Wed, 11 Apr 2007 18:12:48 +0000 (UTC) (envelope-from thiago@lamce.coppe.ufrj.edu.br) Received: from lamce.coppe.ufrj.br (anubis.lamce.coppe.ufrj.br [146.164.92.1]) by mx1.freebsd.org (Postfix) with ESMTP id 28B1E13C468 for ; Wed, 11 Apr 2007 18:12:47 +0000 (UTC) (envelope-from thiago@lamce.coppe.ufrj.edu.br) Received: from www.lamce.coppe.ufrj.br (anubis.lamce.coppe.ufrj.br [146.164.92.1]) by lamce.coppe.ufrj.br (Postfix) with ESMTP id 53EAB20B40C; Wed, 11 Apr 2007 15:12:46 -0300 (BRT) Received: from 146.164.92.1 (SquirrelMail authenticated user thiago) by www.lamce.coppe.ufrj.br with HTTP; Wed, 11 Apr 2007 15:12:46 -0300 (BRT) Message-ID: <55712.146.164.92.1.1176315166.squirrel@www.lamce.coppe.ufrj.br> Date: Wed, 11 Apr 2007 15:12:46 -0300 (BRT) From: "Thiago Esteves de Oliveira" To: "Derek Ragona" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org Subject: Re: Chroot/jail mechanism in ssh and sftp connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 18:12:48 -0000 Thanks, I think this is the solution for the sftp connections using jail/chroot mechanism. Derek Ragona wrote: > At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: >>Thanks for the suggestion. I intend to study about this possible solution >>but to save time I'd >>like to ask you some questions. >> >>With this software, can I control which accounts "from the unix passwd >>file" will be able to log in? > > Yes just set the shell to a non-login shell for users you don't want to > give shell access. Typically I set those user's shell to: > /usr/bin/false > > >>If there is a symbolic link in the home directory(jail/chroot) that points >>to anywhere out of it, >>will the users be able to use this symlink? Will they go out from their >>jail/chroot directory this >>way? > > You can actually specify what ftp commands are allowed in the vsftpd.conf file > in one server I manage I have set: > cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT > > But you'd probably want to remove any symlinks that shouldn't be there. > > >>Derek Ragona wrote: >> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >> >>Hello, >> >>I want to use the chroot/jail mechanism in user's ssh and sftp >> >>connections. I've read some >> >>tutorials and possible solutions to jail/chroot the users into their >> own home directories. One >>is >> >>to install the openssh-portable(with chroot option turned on) from the >> ports collection. I've >>installed the openssh-portable, but the jail/chroot mechanism didn't work. >>I think it requires >>some configuration in its sshd_config file, but I'm not sure because I >>have found nothing about >>jail/chroot in the openssh(sshd_config) man pages. >> > >> > I have implemented a similar setup using vsftpd from the ports. It >> works well for secure ftp >>when used with the filezilla client. You can limit the ftp command in the >>vsftpd configuration >>file so users cannot get out of their home directories, which chroots them >>there. You do need to >>add one thing to the accounts, which is to change their home directory in >>/etc/passwd adding an >>additional dot. For instance if a users home directory is: >> > /home/user >> > >> > You'd need to change it to: >> > /home/./user >> > >> > vsftpd is well documented and relatively easy to get setup and running. >> > >> > -Derek