From owner-freebsd-questions Tue Jul 16 17:24:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC78637B400 for ; Tue, 16 Jul 2002 17:24:11 -0700 (PDT) Received: from catflap.home.slightlystrange.org (host217-39-95-108.in-addr.btopenworld.com [217.39.95.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09D0743E31 for ; Tue, 16 Jul 2002 17:24:11 -0700 (PDT) (envelope-from dan@slightlystrange.org) Received: from danielby by catflap.home.slightlystrange.org with local (Exim 3.36 #1) id 17Ucbx-00060j-00 for freebsd-questions@freebsd.org; Wed, 17 Jul 2002 01:24:09 +0100 Date: Wed, 17 Jul 2002 01:24:09 +0100 From: Daniel Bye To: freebsd-questions@freebsd.org Subject: Re: SSH Message-ID: <20020717002409.GA23069@catflap.home.slightlystrange.org> Reply-To: dan@slightlystrange.org Mail-Followup-To: freebsd-questions@freebsd.org References: <20020716233948.1762.qmail@linuxmail.org> <20020716235125.GA22090@catflap.home.slightlystrange.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020716235125.GA22090@catflap.home.slightlystrange.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 17, 2002 at 12:51:25AM +0100, Daniel Bye wrote: > On Wed, Jul 17, 2002 at 07:39:48AM +0800, Rafter Man wrote: > > Hi again :-) > > > > How do you chroot people logging in via ssh? or sftp? > > The easiest solution I've found for this is to give your restricted > users rbash as a login shell. (This applies to interactive ssh > connections, I don't know about sftp - I don't use it). > > rbash probably won't exist on your system yet. If bash is installed > (it's in ports, naturally ;-), make a link called rbash to the bash > executable: > > # ln /usr/local/bin/bash /usr/local/bin/rbash > > Add /usr/local/bin/rbash to your /etc/shells, and make it the default > shell for your restricted users. Oops... I should probably also point out that rbash doesn't actually call chroot. It does, however, impose severe restrictions on what your users can do. Check out the section "RESTRICTED SHELL" in man bash for more details. I guess if it is essential your users are chroot'ed, this isn't for you, but, as they say, your mileage may vary... Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message