From owner-freebsd-security Mon Aug 19 16: 5:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35A5837B400 for ; Mon, 19 Aug 2002 16:05:55 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9292B43E42 for ; Mon, 19 Aug 2002 16:05:53 -0700 (PDT) (envelope-from wincentcolaiuta@mac.com) Received: from smtp-relay03.mac.com (smtp-relay03-en1 [10.13.10.222]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g7JN5rA8003742 for ; Mon, 19 Aug 2002 16:05:53 -0700 (PDT) Received: from asmtp02.mac.com (asmtp02-qfe3 [10.13.10.66]) by smtp-relay03.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g7JN5qKN007786 for ; Mon, 19 Aug 2002 16:05:53 -0700 (PDT) Received: from localhost ([202.45.118.87]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id H145HR00.H4H; Mon, 19 Aug 2002 16:05:51 -0700 Date: Tue, 20 Aug 2002 08:35:46 +0930 Subject: Re: Chroot environment for ssh Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: security@FreeBSD.ORG To: Philip Paeps From: Wincent Colaiuta In-Reply-To: <20020815134341.GO1144@juno.paeps.cx> Message-Id: <31BC65C5-B3C8-11D6-9471-003065C60B4C@mac.com> Content-Transfer-Encoding: quoted-printable X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org El Thursday, 15 August, 2002, a las 11:13 PM, Philip Paeps escribi=F3: > I'm in the process of setting up a form of fileserver, and I'd like = for=20 > my > users to be able to work only in their home directories, not anywhere=20= > else. I > would like to use SSH for the connections, as opposed to FTP, but I=20 > don't want > users to be able to log into an interactive shell (only SCP/SFTP) and = I=20 > don't > want them to 'escape' out of their home directories. Use ssh2 from the ports collection: cd /usr/ports/security/ssh2 && make install In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers=20= directives to chroot the group(s) and/or user(s) that are to have=20 ChRooted access. Turn off the default ssh (OpenSSH) by setting in /etc/rc.conf: sshd_enable=3D"NO" Start the new ssh: /usr/local/etc/rc.d/sshd.sh start When you create the user's account, make sure the shell is set to=20 /bin/nologin or something similar. With this setup, they can sftp in and are chroot to the home dir, and=20 they can't get a shell when they connect via ssh. In my opinion, OpenSSH should have this feature. We are told not to use=20= ftp because of clear-text passwords, so we have to use ssh/sftp, but=20 when we do that we can no longer chroot people to their home dirs! And=20= if we're not careful, we end up giving them a login shell. Using ssh2=20 from the ports gets around this limitation, but just check the licence=20= before you install to make sure that you qualify (otherwise it's not=20 free). Cheers :-) Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message