From owner-freebsd-questions@FreeBSD.ORG Thu Sep 7 13:37:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2254616A500 for ; Thu, 7 Sep 2006 13:37:05 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03D5643D97 for ; Thu, 7 Sep 2006 13:35:10 +0000 (GMT) (envelope-from david.robillard@gmail.com) Received: by nf-out-0910.google.com with SMTP id n29so471043nfc for ; Thu, 07 Sep 2006 06:35:09 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=Z72/FeBP3pBv/HCvvH9TVRVG0ywH6PgjePIdXBf0WFiSP847T7QN29K31tCkNy6N+trvvOUDD6ytNJ0yRZ+3fYN6+r2ZqqzXK4bVPu7VdPuRlA1ecAfRQwhCxPnrNWrx7osc6jjeYUimz9za7A9Rr8agY5iQL+/DctWFazkAbBU= Received: by 10.66.252.4 with SMTP id z4mr391056ugh; Thu, 07 Sep 2006 06:35:08 -0700 (PDT) Received: by 10.67.106.17 with HTTP; Thu, 7 Sep 2006 06:35:08 -0700 (PDT) Message-ID: <226ae0c60609070635n7e901beewa21f0757d2ab99ec@mail.gmail.com> Date: Thu, 7 Sep 2006 09:35:08 -0400 From: "David Robillard" To: "Chad Leigh -- Shire.Net LLC" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: FreeBSD Questions Mailing List Subject: Re: need a restricted shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:37:05 -0000 > I am looking for a shell that will allow Subversion to be run over > ssh but not allow interactive login or if it allows interactive > login, will only allow Subversion commands to be run... Any ideas > on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the "setup_chroot.sh" script which is inside the work/scponly- directory. Use the script to create a chroot directory. Then populate this new chroot directory with the files required by the commands and libraries which you want to give to your users (such as Subversion). Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and the chroot directory for the user(s) which you want to limit only to your Subversion commands. Assign a password to those users then test if you can connect and use the Subversion commands. Basically, this is Hack number 63 on page 269 in the book "BSD Hacks, 100 Industrial-Strength Tips & Tools" by Dru Lavigne published by O'Reilly. (ISBN: 0-596-00679-9). Also, to further restrict access to your machine, configure sshd(8) to allow only a limited subset of users. See AllowUsers and AllowGroups in sshd_config(5) for this. Finally, if you happen to know the origin of the connections, then configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections. See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info on how to set this up. Alright, if you have any questions, please be my guest and send them up to me. Cheers! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122