From owner-freebsd-questions@FreeBSD.ORG Wed May 4 15:47:35 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 283161065670 for ; Wed, 4 May 2011 15:47:35 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9502D8FC12 for ; Wed, 4 May 2011 15:47:34 +0000 (UTC) Received: by bwz12 with SMTP id 12so1562060bwz.13 for ; Wed, 04 May 2011 08:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=G1xfzzQcNMrL7srRCR1bFQ+5jA7j931RcFgZehHkgAg=; b=pmCZUPlO6ZCBQEWryLEOjgyDm0FurqY4k+gYPlka2Ml9Ex2ero5sknLUR9W9oQZ6gx VCaEYFxNiLKOkrK0HNH74DqmRm8qDKSM/wj7Jp4H+UAtsfP5Qmd1i6zmvWpa27sMzmVY cBQ+XiLBjcsSpohFV4pIh9fd0ytAYPhwMkHYM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=MyvvK+mypIAqLc+zXX+3s2ZoDhWJufqLRgR41RTPkryZoXRUA7nhMCIxFCAae0UNgo Zvo0Xp9JSftVGI2bfMu5tl+53V5aIWdkm++NQypeqNyMGEYygnB8PJL5K2ZHpbIhhGHO KxEF9Fgj9mmIYyVceexXBQTCDiVxbqSK4xWXk= MIME-Version: 1.0 Received: by 10.204.22.202 with SMTP id o10mr41254bkb.70.1304524053139; Wed, 04 May 2011 08:47:33 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Wed, 4 May 2011 08:47:33 -0700 (PDT) Received: by 10.204.42.21 with HTTP; Wed, 4 May 2011 08:47:33 -0700 (PDT) In-Reply-To: References: <07CAE521148F4E7392202CD6B031F504@jarasc430> <4DC139F7.9080109@infracaninophile.co.uk> Date: Wed, 4 May 2011 16:47:33 +0100 Message-ID: From: Chris Rees To: krad Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= , freebsd-questions@freebsd.org Subject: Re: Limitting SSH access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: utisoft@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2011 15:47:35 -0000 On 4 May 2011 16:27, "krad" wrote: > > On 4 May 2011 12:47, Bal=E1zs M=E1t=E9ffy wrote: > > > On 4 May 2011 13:35, Matthew Seaman > > wrote: > > > > > On 04/05/2011 10:08, Jack Raats wrote: > > > > I have a question concerning SSH op a FreeBSD 7.4-STABLE server. > > > > > > > > Is it possible to limit the SSH access? > > > > I want t o restrict a user to his own home directory. > > > > So that if he connects to the server with SSH he only can go to his own > > > home dir. > > > > Also the same for sftp... > > > > > > > > > > I believe you will need to install a version of OpenSSH from ports to > > > get that functionality. It's the CHROOT config option in > > > security/openssh-portable > > > > > > Cheers > > > > > > Matthew > > > > > > -- > > > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > > > Flat 3 > > > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > > > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > > > > > > > Hello, > > > > It should work with the base openssh on 7.4. Check your version with sshd > > -v. > > Here, search for chroot(or use google :)): > > http://www.openbsd.org/cgi-bin/man.cgi?query=3Dsshd_config&sektion=3D5 > > > > Regarding ssh login, I usually use "rbash" from the ports, that restricts > > the user from leaving his or her home directory! > > > > Regards, > > > > Balazs Mateffy. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscribe@freebsd.org" > > > > if you want them to be able to get a shell ether then sftp prompt then yo= u > will have to go for the rbash option. If you chroot the shell to their home > dir they wont have access to any system binaries so wont be able to 'ls' for > example. > > Having said that you could build a tree of all the binaries they need along > with all the dependent libraries. This would get a bit cumbersome and > wasteful of disk space for lots of users though. You might be better off > with jails. > Or you could have a special /bin-restricted that you nullfs mount into ~userN/bin. Chris