Date: Mon, 28 Dec 2009 10:28:46 +0100 From: Tijl Coosemans <tijl@coosemans.org> To: freebsd-questions@freebsd.org Cc: krad <kraduk@googlemail.com>, Marwan Sultan <dead_line@hotmail.com> Subject: Re: chroot SSH users. Message-ID: <200912281028.47462.tijl@coosemans.org> In-Reply-To: <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com> References: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl> <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 27 December 2009 18:16:47 krad wrote: > fairly easy if you read the man page 8) I wrote this howto for sun > boxes at work but it was using openssh so same rules should apply. > Make sure chroot support was compiled in though > > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > 10 are bundled with openssh though. > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > 3. Add these lines to sshd config > > Match Group sftponly > ChrootDirectory /home/chroot/%u > X11Forwarding no > AllowTcpForwarding no > ForceCommand internal-sftp > > 4. Make sure the Subsystem line is this > > Subsystem sftp internal-sftp > > 5. create the sftponly group on the system > 6. put the relevent users in this group. be careful as you will stop them > being able to ssh in!! > 7. Dead important this bit !!! > > mkdir -p /home/chroot/<user>/home/<user>/.ssh > chown -R root /home/chroot/<user> > chown -R <user> /home/chroot/<user> Shouldn't this line be: chown -R <user> /home/chroot/<user>/home/<user> > chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user> > ln -s /home/chroot/<user>/home/<user> /home/. > > 8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh > > All should now work
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912281028.47462.tijl>