From owner-freebsd-questions@FreeBSD.ORG Sun Dec 27 20:40:11 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50931106568F for ; Sun, 27 Dec 2009 20:40:11 +0000 (UTC) (envelope-from dead_line@hotmail.com) Received: from snt0-omc1-s27.snt0.hotmail.com (snt0-omc1-s27.snt0.hotmail.com [65.55.90.38]) by mx1.freebsd.org (Postfix) with ESMTP id 23C988FC13 for ; Sun, 27 Dec 2009 20:40:10 +0000 (UTC) Received: from SNT103-W11 ([65.55.90.8]) by snt0-omc1-s27.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 27 Dec 2009 12:40:10 -0800 Message-ID: X-Originating-IP: [62.150.167.142] From: Marwan Sultan To: Date: Sun, 27 Dec 2009 20:40:10 +0000 Importance: Normal In-Reply-To: References: , MIME-Version: 1.0 X-OriginalArrivalTime: 27 Dec 2009 20:40:10.0779 (UTC) FILETIME=[C8A50EB0:01CA8734] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Questions Subject: RE: chroot SSH users. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Dec 2009 20:40:11 -0000 =20 Dear Krad=2C Thank you for your reply=2C regarding your answer=2C i have few questions = here =20 1- in sshd_config file the default line is : Subsystem sftp /usr/libexec/sftp-server =20 So should i comment out the line? or just add your line ? Subsystem sftp internal-sftp 2- the SSH is the default one that comes with FreeBSD=2C I ofcourse didnot = compile SSH in the system. Are you asking me to install additional packages? or to recompile ssh when you wrote : "Make sure chroot support was compiled in" =20 3- SSH users are using passwords not keygen=2C where do i get the keys for = thier login?=20 =20 Thank you =20 - Marwan > > > > Hello people=2C > > Im on FreeBSD 7.2-R P5 > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes th= e > > job easy. > > > > How about if I want to chroot the SSH users (not ftp) > > > > any easy way? no need for jail installation or anything like this.. >> > I saw sshd_config file and it has a chrootdirectory but not sure how t= o > > use it.. > > Anyone? any tips? any easy way? > > Thank you > > -Marwan > > > > _________________________________________________________________ > > Hotmail: Free=2C trusted and rich email service. > > > >=20 >=20 > fairly easy if you read the man page 8) I wrote this howto for sun boxes = at > work but it was using openssh so same rules should apply. Make sure chroo= t > support was compiled in though >=20 >=20 > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > 10 are bundled with openssh though. > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > 3. Add these lines to sshd config >=20 > Match Group sftponly > ChrootDirectory /home/chroot/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp >=20 > 4. Make sure the Subsystem line is this >=20 > Subsystem sftp internal-sftp >=20 > 5. create the sftponly group on the system > 6. put the relevent users in this group. be careful as you will stop them > being able to ssh in!! > 7. Dead important this bit !!! >=20 > mkdir -p /home/chroot//home//.ssh > chown -R root /home/chroot/ > chown -R /home/chroot/ > chmod -R 755 /home/chroot/ /home/chroot//home/ > ln -s /home/chroot//home/ /home/. >=20 > 8. Put their ssh keys in /home/chroot//home//.ssh >=20 > All should now work >=20 > If not check /etc/shadow the account might be locked=2C this just caught = me > out :) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe=2C send any mail to "freebsd-questions-unsubscribe@freebsd= .org" =20 _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/171222985/direct/01/=