Date: Sun, 27 Dec 2009 20:40:10 +0000 From: Marwan Sultan <dead_line@hotmail.com> To: <kraduk@googlemail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: RE: chroot SSH users. Message-ID: <SNT103-W11AD877FAAD147F2B90A849A7C0@phx.gbl> In-Reply-To: <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com> References: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl>, <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
=20
Dear Krad=2C
Thank you for your reply=2C regarding your answer=2C i have few questions =
here
=20
1-
in sshd_config file the default line is :
Subsystem sftp /usr/libexec/sftp-server
=20
So should i comment out the line? or just add your line ?
Subsystem sftp internal-sftp
2- the SSH is the default one that comes with FreeBSD=2C I ofcourse didnot =
compile
SSH in the system. Are you asking me to install additional packages?
or to recompile ssh when you wrote :
"Make sure chroot support was compiled in"
=20
3- SSH users are using passwords not keygen=2C where do i get the keys for =
thier
login?=20
=20
Thank you
=20
- Marwan
> >
> > Hello people=2C
> > Im on FreeBSD 7.2-R P5
> >
> > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes th=
e
> > job easy.
> >
> > How about if I want to chroot the SSH users (not ftp)
> >
> > any easy way? no need for jail installation or anything like this..
>> > I saw sshd_config file and it has a chrootdirectory but not sure how t=
o
> > use it..
> > Anyone? any tips? any easy way?
> > Thank you
> > -Marwan
> >
> > _________________________________________________________________
> > Hotmail: Free=2C trusted and rich email service.
> >
> >=20
>=20
> fairly easy if you read the man page 8) I wrote this howto for sun boxes =
at
> work but it was using openssh so same rules should apply. Make sure chroo=
t
> support was compiled in though
>=20
>=20
> 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
> 10 are bundled with openssh though.
> 2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
> 3. Add these lines to sshd config
>=20
> Match Group sftponly
> ChrootDirectory /home/chroot/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>=20
> 4. Make sure the Subsystem line is this
>=20
> Subsystem sftp internal-sftp
>=20
> 5. create the sftponly group on the system
> 6. put the relevent users in this group. be careful as you will stop them
> being able to ssh in!!
> 7. Dead important this bit !!!
>=20
> mkdir -p /home/chroot/<user>/home/<user>/.ssh
> chown -R root /home/chroot/<user>
> chown -R <user> /home/chroot/<user>
> chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user>
> ln -s /home/chroot/<user>/home/<user> /home/.
>=20
> 8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh
>=20
> All should now work
>=20
> If not check /etc/shadow the account might be locked=2C this just caught =
me
> out :)
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe=2C send any mail to "freebsd-questions-unsubscribe@freebsd=
.org"
=20
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/171222985/direct/01/=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SNT103-W11AD877FAAD147F2B90A849A7C0>