Date: Tue, 11 Mar 2008 18:16:10 -0400 From: Jerry McAllister <jerrymc@msu.edu> To: "Philip M. Gollucci" <pgollucci@riderway.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: security/openssh-portable Message-ID: <20080311221610.GB2418@gizmo.acns.msu.edu> In-Reply-To: <47D702EC.2090908@riderway.com> References: <47D702EC.2090908@riderway.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci wrote:
> Hi,
>
> I'm setting up a 'chrooted' SFTP only set of users:
>
> /etc/make.conf:
> .if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
> WITH_SUID_SSH =yes
> WITH_OPENSSH_CHROOT =yes
> WITH_HPN =yes
> WITH_OVERWRITE_BASE =yes
> .endif
>
> /etc/rc.conf:
> sshd_enable="NO"
> openssh_enable="YES"
>
> /etc/passwd:
> user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh
>
> Access will be with ssh dsa keys only.
>
> What is the best way to make this SFTP only and not SSH?
> 1).ssh/authorization?
> 2) change user's shell to /usr/local/libexec/sftp-server
> 3) change user's shell to a custom C wrapper around [2]
> 4) a combination of them
The usual thing is make the shell /bin/nologin
////jerry
>
> --
> ------------------------------------------------------------------------
> Philip M. Gollucci (philip@ridecharge.com)
> o:703.549.2050x206
> Senior System Admin - Riderway, Inc.
> http://riderway.com / http://ridecharge.com
> 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF
>
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080311221610.GB2418>