Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 May 2010 23:05:58 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        matt@webcontracts.co.uk
Cc:        freebsd-questions@freebsd.org
Subject:   Re: chroot scp only network storage?
Message-ID:  <4BFC49C6.2020709@infracaninophile.co.uk>
In-Reply-To: <933e7d04f535bbe649f089f9deb60284.squirrel@www.webcontracts.co.uk>
References:  <933e7d04f535bbe649f089f9deb60284.squirrel@www.webcontracts.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/05/2010 22:29:57, Matthew Law wrote:
> 
> I want to provide some users with secure network attached storage over
> SCP.  The intent is to provide people with a similar thing to, e.g.
> rsync.net but inside of our network only.
> 
> Security is obviously a priority so I would like each user to be chrooted
> into their allocated directory and allow them only to execute a small set
> of commands.

Checkout the security/openssh-portable port which has options to enable
chroot'ing.  You should be able to configure the account to only be able
to use scp(1) or sftp(1) by editing sshd_config or by using forced
commands in the user authorized_keys files.

> I have come across scponly before.  Is this the best way of achieving this
> with FreeBSD or is there some other better way?

Another alternative is WebDAV.  Run it over HTTPS for security, and use
the standard Apache authn/authz controls to give each user access to
only their own area.  In principle your users can mount their WebDAV
areas as networked filesystems on their desktops.  In practice, this
works fine with MacOS X, is horribly buggy under Windows, needs quite a
lot of effort to make work on Linux, and I don't think it's actually
available at all on FreeBSD.  However, commandline clients like cadaver
will work fine on anything Unixy.

	Cheers

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf
CnUAnj668eKglbUe8RIfp8actDj13gYe
=jATZ
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFC49C6.2020709>