From owner-freebsd-questions@FreeBSD.ORG Wed May 26 08:27:21 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11DD31065670 for ; Wed, 26 May 2010 08:27:21 +0000 (UTC) (envelope-from matt@webcontracts.co.uk) Received: from batfink.vm.bytemark.co.uk (batfink.vm.bytemark.co.uk [80.68.95.231]) by mx1.freebsd.org (Postfix) with ESMTP id C6B348FC16 for ; Wed, 26 May 2010 08:27:20 +0000 (UTC) Received: from www.webcontracts.co.uk (localhost [127.0.0.1]) by batfink.vm.bytemark.co.uk (Postfix) with ESMTP id 733E064100; Wed, 26 May 2010 09:27:19 +0100 (BST) Received: from 212.159.19.37 (SquirrelMail authenticated user mlaw) by www.webcontracts.co.uk with HTTP; Wed, 26 May 2010 09:27:19 +0100 Message-ID: In-Reply-To: <4BFC49C6.2020709@infracaninophile.co.uk> References: <933e7d04f535bbe649f089f9deb60284.squirrel@www.webcontracts.co.uk> <4BFC49C6.2020709@infracaninophile.co.uk> Date: Wed, 26 May 2010 09:27:19 +0100 From: "Matthew Law" To: "Matthew Seaman" User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: "freebsd-questions@freebsd.org" Subject: Re: chroot scp only network storage? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: matt@webcontracts.co.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2010 08:27:21 -0000 On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote: > Checkout the security/openssh-portable port which has options to enable > chroot'ing. You should be able to configure the account to only be able > to use scp(1) or sftp(1) by editing sshd_config or by using forced > commands in the user authorized_keys files. This sounds pretty close to what I want. I don't want the user to be able to get a shell on the box but do want to allow them to run a small subset of useful commands over ssh such as 'ls' and of course scp files to and from it. > Another alternative is WebDAV. Run it over HTTPS for security, and use > the standard Apache authn/authz controls to give each user access to > only their own area. In principle your users can mount their WebDAV > areas as networked filesystems on their desktops. In practice, this > works fine with MacOS X, is horribly buggy under Windows, needs quite a > lot of effort to make work on Linux, and I don't think it's actually > available at all on FreeBSD. However, commandline clients like cadaver > will work fine on anything Unixy. I've had problems with exactly this before on linux. I only need to allow linux, FreeBSD and Solaris users access to this resource so will persevere with something SSH based I think. Thanks, Matt.