From owner-freebsd-questions@FreeBSD.ORG Tue May 25 22:06:03 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91A571065676 for ; Tue, 25 May 2010 22:06:03 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 05CBD8FC19 for ; Tue, 25 May 2010 22:06:02 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4PM5wrg046985 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 25 May 2010 23:05:58 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BFC49C6.2020709@infracaninophile.co.uk> Date: Tue, 25 May 2010 23:05:58 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: matt@webcontracts.co.uk References: <933e7d04f535bbe649f089f9deb60284.squirrel@www.webcontracts.co.uk> In-Reply-To: <933e7d04f535bbe649f089f9deb60284.squirrel@www.webcontracts.co.uk> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.0 required=5.0 tests=DKIM_ADSP_ALL,SPF_FAIL, TO_NO_BRKTS_DIRECT autolearn=no version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: chroot scp only network storage? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2010 22:06:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 25/05/2010 22:29:57, Matthew Law wrote: > > I want to provide some users with secure network attached storage over > SCP. The intent is to provide people with a similar thing to, e.g. > rsync.net but inside of our network only. > > Security is obviously a priority so I would like each user to be chrooted > into their allocated directory and allow them only to execute a small set > of commands. Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. > I have come across scponly before. Is this the best way of achieving this > with FreeBSD or is there some other better way? Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. Cheers Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf CnUAnj668eKglbUe8RIfp8actDj13gYe =jATZ -----END PGP SIGNATURE-----