From owner-freebsd-questions Fri Jun 21 1: 9:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from grant.org (grant.org [206.190.164.98]) by hub.freebsd.org (Postfix) with ESMTP id 73E1337B403 for ; Fri, 21 Jun 2002 01:09:41 -0700 (PDT) Received: from splat.grant.org (mgrant@splat.grant.org [213.39.2.177]) by grant.org (8.12.3/8.12.3) with ESMTP id g5L89ceW042135 for ; Fri, 21 Jun 2002 04:09:39 -0400 (EDT) (envelope-from mgrant@splat.grant.org) Received: (from mgrant@localhost) by splat.grant.org (8.11.6+Sun/8.11.6) id g5L88SJ15420; Fri, 21 Jun 2002 10:08:28 +0200 (MEST) Date: Fri, 21 Jun 2002 10:08:28 +0200 (MEST) Message-Id: <200206210808.g5L88SJ15420@splat.grant.org> From: Michael Grant To: freebsd-questions@freebsd.org Subject: Re: ssh/ftp only accounts Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 20 Jun 2002, Michael Grant wrote: > Alexander V Zubchenko wrote: > On Thu, 20 Jun 2002, Michael Grant wrote: > > Can someone please tell me what the recommended way to set up an > > account such that the user can only ftp and scp to a chrooted > > directory? (i.e. no login shell). > > > Here it is (imho, of course): > 1. Create user with shell like /bin/date or something like this (You > may want to add this command to /etc/shells). > 2. Allow this user access to desired services. > > Hope this help. If You need additional info on getting access to > ftp/scp, don't hesitage and mail me. First, there's a typo in the subject line, I meant scp, not ssh. I discovered that can if I use /etc/passwd as the shell, then if the user wants to change their password, they try to log in and they're presented with a password change prompt and immediatly logged out. Your solution doesn't work for scp, only for ftp. And furthermore, it's not chrooted. It also allows a person to log in and read mail via pop or imap. There doesn't seem to be one place which controls access. To chroot ftp, you simply add the username to /etc/ftpchroot. There's some patches to apply to openssh to get it to chroot. I suppose if I run the following script as root, I could use the chroot command before calling scp. Sounds dangerous though. Here is a partial solution, set your shell using the following script: #!/bin/sh -p # # filesonly by Michael Grant # # no -c option, offer to change passwd if [ "$1" != '-c' ]; then echo "You may only change your password or hit return to exit" /usr/bin/passwd echo "You may only scp or ftp with this account." exit fi # $2 contains command to exec, split it into args set $2 # Verify if the command is scp if [ \( "$1" = 'scp' \) -a \( "$2" = '-t' \) -o \( "$2" = '-f' \) ]; then # Exec scp directly so there can be no mistake exec /usr/bin/scp $2 $3 exit fi # Verify if it's the sftp command if [ \( "$1" = '/usr/libexec/sftp-server' \) -o \( "$1" = sftp-server \) ]; then exec /usr/libexec/sftp-server exit fi echo "Command not found." exit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message