chroot-ing users coming in via SSH and/or SFTP?

From: Brett Glass (brett_at_lariat.org)
Date: 12/20/04

  • Next message: martin hudec: "Re: chroot-ing users coming in via SSH and/or SFTP?"
    Date: Mon, 20 Dec 2004 14:23:02 -0700
    To: freebsd-security@freebsd.org
    
    

    A client wants me to set up a mechanism whereby his customers can drop files
    securely into directories on his FreeBSD server; he also wants them to be
    able to retrieve files if needed. The server is already running OpenSSH,
    and he himself is using Windows clients (TeraTerm and WinSCP) to access it,
    so the logical thing to do seems to be to have his clients send and receive
    files via SFTP or SCP.

    The users depositing files on the server shouldn't be allowed to see what
    one another are doing or to grope around on the system, so it'd be a good
    idea to chroot them into home directories, as is commonly done with FTP.

    However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a
    mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a
    specific directory. What is the most effective and elegant way to do this? I've
    seen some crude patches that allow you to put a /. in the home directory specified
    in /etc/passwd, but these are specific to versions of the "portable" OpenSSH
    and none of the diffs seem to match FreeBSD's files exactly.

    --Brett

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: martin hudec: "Re: chroot-ing users coming in via SSH and/or SFTP?"

    Relevant Pages

    • Re: chroot-ing users coming in via SSH and/or SFTP?
      ... > A client wants me to set up a mechanism whereby his customers can drop files ... The server is already running OpenSSH, ... > and he himself is using Windows clients to access it, ... > idea to chroot them into home directories, as is commonly done with FTP. ...
      (FreeBSD-Security)
    • Re: SFTP/SSH from SSH.com
      ... Yes, they work, but they are more of a pain than the OPENssh based products. ... You often get into a finger pointing issue, your server works with other clients, a client works with other servers, but that client won't work with your server. ...
      (AIX-L)
    • RE: Users Cant Access Documents on Server
      ... Thanks for using the SBS newsgroup. ... As well as we know, if a workstation would not access network shares, then ... Leave the Default Gateway of the internal NIC blank of the server box. ... Clients That Require SMB Signing ...
      (microsoft.public.windows.server.sbs)
    • Re: Users Cant Access Documents on Server
      ... my computer to the network on the server. ... Connection Wizard none of the computers were listed. ... The Mac clients can not communicate with the server box. ... > Error Messages When You Open or Copy Network Files on Windows XP SP1 ...
      (microsoft.public.windows.server.sbs)
    • Re: [SLE] SMTP authentication
      ... So eventhough my local SMTP server dials up to the internet with a certain username and password, that same username and password would not be used as authentication between my local SMTP server and the ISP's one, should it be used as a relay? ... either defer all outgoing mails until you connect to the internet, then flush out all the mails in the queue. ... Your local server would use an external program like fetchmail to poll the mailserver of your ISP, download the mails and feed them to Postfix. ... The test does NOT say "All clients must be in mynetworks, ...
      (SuSE)