Date: Fri, 21 Jun 2002 10:08:28 +0200 (MEST) From: Michael Grant <mg-fbsd3@grant.org> To: freebsd-questions@freebsd.org Subject: Re: ssh/ftp only accounts Message-ID: <200206210808.g5L88SJ15420@splat.grant.org>
next in thread | raw e-mail | index | archive | help
On Thu, 20 Jun 2002, Michael Grant wrote:
> Alexander V Zubchenko wrote:
> On Thu, 20 Jun 2002, Michael Grant wrote:
> > Can someone please tell me what the recommended way to set up an
> > account such that the user can only ftp and scp to a chrooted
> > directory? (i.e. no login shell).
> >
> Here it is (imho, of course):
> 1. Create user with shell like /bin/date or something like this (You
> may want to add this command to /etc/shells).
> 2. Allow this user access to desired services.
>
> Hope this help. If You need additional info on getting access to
> ftp/scp, don't hesitage and mail me.
First, there's a typo in the subject line, I meant scp, not ssh.
I discovered that can if I use /etc/passwd as the shell, then if the
user wants to change their password, they try to log in and they're
presented with a password change prompt and immediatly logged out.
Your solution doesn't work for scp, only for ftp. And furthermore,
it's not chrooted. It also allows a person to log in and read mail
via pop or imap. There doesn't seem to be one place which controls
access.
To chroot ftp, you simply add the username to /etc/ftpchroot. There's
some patches to apply to openssh to get it to chroot. I suppose if I
run the following script as root, I could use the chroot command
before calling scp. Sounds dangerous though.
Here is a partial solution, set your shell using the following script:
#!/bin/sh -p
#
# filesonly by Michael Grant
#
# no -c option, offer to change passwd
if [ "$1" != '-c' ]; then
echo "You may only change your password or hit return to exit"
/usr/bin/passwd
echo "You may only scp or ftp with this account."
exit
fi
# $2 contains command to exec, split it into args
set $2
# Verify if the command is scp
if [ \( "$1" = 'scp' \) -a \( "$2" = '-t' \) -o \( "$2" = '-f' \) ]; then
# Exec scp directly so there can be no mistake
exec /usr/bin/scp $2 $3
exit
fi
# Verify if it's the sftp command
if [ \( "$1" = '/usr/libexec/sftp-server' \) -o \( "$1" = sftp-server \) ]; then
exec /usr/libexec/sftp-server
exit
fi
echo "Command not found."
exit
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206210808.g5L88SJ15420>