Date: Sun, 27 Dec 2009 17:16:47 +0000 From: krad <kraduk@googlemail.com> To: Marwan Sultan <dead_line@hotmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: chroot SSH users. Message-ID: <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com> In-Reply-To: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl> References: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/12/27 Marwan Sultan <dead_line@hotmail.com> > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the > job easy. > > > > How about if I want to chroot the SSH users (not ftp) > > any easy way? no need for jail installation or anything like this.. > > > > I saw sshd_config file and it has a chrootdirectory but not sure how to > use it.. > > > > Anyone? any tips? any easy way? > > > > Thank you > > > > -Marwan > > _________________________________________________________________ > Hotmail: Free, trusted and rich email service. > > http://clk.atdmt.com/GBL/go/171222984/direct/01/_______________________________________________ > freebsd-questions@freebsd.org<http://clk.atdmt.com/GBL/go/171222984/direct/01/_______________________________________________%0Afreebsd-questions@freebsd.org>mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftp internal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot/<user>/home/<user>/.ssh chown -R root /home/chroot/<user> chown -R <user> /home/chroot/<user> chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user> ln -s /home/chroot/<user>/home/<user> /home/. 8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630912270916t765e7dbyec98c5a674263df7>