From owner-freebsd-questions@FreeBSD.ORG Mon Dec 28 15:49:59 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7C79106566B for ; Mon, 28 Dec 2009 15:49:59 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 63C898FC12 for ; Mon, 28 Dec 2009 15:49:59 +0000 (UTC) Received: by fxm27 with SMTP id 27so10201274fxm.3 for ; Mon, 28 Dec 2009 07:49:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=T/GGhXUwg7s7I3EKXvX9dSy/VZF9/IqBqOr9VQZgfeU=; b=bolL0o3DYZnhaLZuMY7PLn/j6BPneBZXww/8MOdx1vNuapJ0Svy90pObApcg47EeU6 2r0iQJHEdjcanKRIjBkJ0qmSoET9ivdsOce2XQNOv/5jBFMIgTp9wngQenQYKnrH9KZs iuF5iCiC7V7ReVIr+/guQQUfZNyoKSIMhUTos= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xOgam08r+531eBCX7nALMLVid89vfmLJaGlsMuULmIwWVlVHpwUAJ4BS8fEwni2i+N IpQeTrWx//YjVYXHqFlMgTDpAIKkzWQKqWcdOmzst+G98aicXYsUkaV/E8S5CcHLpUYe Y++pBBKkfeMhvoBGujWgddltof157DSkZEbBY= MIME-Version: 1.0 Received: by 10.239.188.145 with SMTP id p17mr1659762hbh.175.1262015394151; Mon, 28 Dec 2009 07:49:54 -0800 (PST) In-Reply-To: <200912281028.47462.tijl@coosemans.org> References: <200912281028.47462.tijl@coosemans.org> Date: Mon, 28 Dec 2009 15:49:53 +0000 Message-ID: From: krad To: Tijl Coosemans Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, Marwan Sultan Subject: Re: chroot SSH users. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 15:49:59 -0000 2009/12/28 Tijl Coosemans > On Sunday 27 December 2009 18:16:47 krad wrote: > > fairly easy if you read the man page 8) I wrote this howto for sun > > boxes at work but it was using openssh so same rules should apply. > > Make sure chroot support was compiled in though > > > > 1. Dont bother with sun ssh it wont work. Opensolaris and later > solaris > > 10 are bundled with openssh though. > > 2. Make sure openssh version is 5 or above (some 4s do work but 5 > better) > > 3. Add these lines to sshd config > > > > Match Group sftponly > > ChrootDirectory /home/chroot/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > 4. Make sure the Subsystem line is this > > > > Subsystem sftp internal-sftp > > > > 5. create the sftponly group on the system > > 6. put the relevent users in this group. be careful as you will stop > them > > being able to ssh in!! > > 7. Dead important this bit !!! > > > > mkdir -p /home/chroot//home//.ssh > > chown -R root /home/chroot/ > > chown -R /home/chroot/ > > Shouldn't this line be: > chown -R /home/chroot//home/ strictly yes I probably missed i step where i sym linked it as i was copying stuff from the shell history > > > chmod -R 755 /home/chroot/ /home/chroot//home/ > > ln -s /home/chroot//home/ /home/. > > > > 8. Put their ssh keys in /home/chroot//home//.ssh > > > > All should now work > >