Date: Tue, 20 Aug 2002 08:35:46 +0930 From: Wincent Colaiuta <wincentcolaiuta@mac.com> To: Philip Paeps <philip@paeps.cx> Cc: security@FreeBSD.ORG Subject: Re: Chroot environment for ssh Message-ID: <31BC65C5-B3C8-11D6-9471-003065C60B4C@mac.com> In-Reply-To: <20020815134341.GO1144@juno.paeps.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
El Thursday, 15 August, 2002, a las 11:13 PM, Philip Paeps escribi=F3: > I'm in the process of setting up a form of fileserver, and I'd like = for=20 > my > users to be able to work only in their home directories, not anywhere=20= > else. I > would like to use SSH for the connections, as opposed to FTP, but I=20 > don't want > users to be able to log into an interactive shell (only SCP/SFTP) and = I=20 > don't > want them to 'escape' out of their home directories. Use ssh2 from the ports collection: cd /usr/ports/security/ssh2 && make install In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers=20= directives to chroot the group(s) and/or user(s) that are to have=20 ChRooted access. Turn off the default ssh (OpenSSH) by setting in /etc/rc.conf: sshd_enable=3D"NO" Start the new ssh: /usr/local/etc/rc.d/sshd.sh start When you create the user's account, make sure the shell is set to=20 /bin/nologin or something similar. With this setup, they can sftp in and are chroot to the home dir, and=20 they can't get a shell when they connect via ssh. In my opinion, OpenSSH should have this feature. We are told not to use=20= ftp because of clear-text passwords, so we have to use ssh/sftp, but=20 when we do that we can no longer chroot people to their home dirs! And=20= if we're not careful, we end up giving them a login shell. Using ssh2=20 from the ports gets around this limitation, but just check the licence=20= before you install to make sure that you qualify (otherwise it's not=20 free). Cheers :-) Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?31BC65C5-B3C8-11D6-9471-003065C60B4C>