From owner-freebsd-questions@FreeBSD.ORG Sun Dec 27 17:16:56 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC6D21065694 for ; Sun, 27 Dec 2009 17:16:56 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 693798FC08 for ; Sun, 27 Dec 2009 17:16:56 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 19so3328845fgg.13 for ; Sun, 27 Dec 2009 09:16:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=mCJ3G/j5qRssEHMg6COx6N4bzKMYHTuzn/S/jxALXVk=; b=vMFP+a3fisq6RB2+3lw4sVVNVYIKasBGIO1RO7Zn/GEk1Vp84Zdo1a9n4YpRxHHGPI laU/jq2GXTD/8N7x0l6RyQ6sAUpbojHi5jolspXR+wRb18OXiLBx3TRB8ieAzFJJoiU6 Ig07brfVJwUsdBAOXGlu7epk2xueZjWQ4zdQA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=p+P/ub6+dTMelq4xAm5LGD86XR20NINIJRkGVIOmP7dNWUousdhvymGWhXNm+Y+Pcy TmGBWsA/FiDgw/Ei5T1DYrBD02/60VTlGjbzl3RDly+GoiSbguLk8dqUdNlGDuG1ORhT P5Z23JYNQkGwDp9g2Hcodn6O3GeYwCxIK2ofU= MIME-Version: 1.0 Received: by 10.239.163.67 with SMTP id o3mr591440hbd.22.1261934207393; Sun, 27 Dec 2009 09:16:47 -0800 (PST) In-Reply-To: References: Date: Sun, 27 Dec 2009 17:16:47 +0000 Message-ID: From: krad To: Marwan Sultan Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Questions Subject: Re: chroot SSH users. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Dec 2009 17:16:56 -0000 2009/12/27 Marwan Sultan > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the > job easy. > > > > How about if I want to chroot the SSH users (not ftp) > > any easy way? no need for jail installation or anything like this.. > > > > I saw sshd_config file and it has a chrootdirectory but not sure how to > use it.. > > > > Anyone? any tips? any easy way? > > > > Thank you > > > > -Marwan > > _________________________________________________________________ > Hotmail: Free, trusted and rich email service. > > http://clk.atdmt.com/GBL/go/171222984/direct/01/_______________________________________________ > freebsd-questions@freebsd.orgmailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > fairly easy if you read the man page 8) I wrote this howto for sun boxes at work but it was using openssh so same rules should apply. Make sure chroot support was compiled in though 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftp internal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot//home//.ssh chown -R root /home/chroot/ chown -R /home/chroot/ chmod -R 755 /home/chroot/ /home/chroot//home/ ln -s /home/chroot//home/ /home/. 8. Put their ssh keys in /home/chroot//home//.ssh All should now work If not check /etc/shadow the account might be locked, this just caught me out :)