Re: chroot-ing users coming in via SSH and/or SFTP?
From: Nigel Houghton (nigel_at_sourcefire.com)
Date: Mon, 20 Dec 2004 15:23:05 -0600 To: Brett Glass <email@example.com>
On 0, Brett Glass <firstname.lastname@example.org> allegedly wrote:
> A client wants me to set up a mechanism whereby his customers can drop files
> securely into directories on his FreeBSD server; he also wants them to be
> able to retrieve files if needed. The server is already running OpenSSH,
> and he himself is using Windows clients (TeraTerm and WinSCP) to access it,
> so the logical thing to do seems to be to have his clients send and receive
> files via SFTP or SCP.
> The users depositing files on the server shouldn't be allowed to see what
> one another are doing or to grope around on the system, so it'd be a good
> idea to chroot them into home directories, as is commonly done with FTP.
> However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a
> mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a
> specific directory. What is the most effective and elegant way to do this? I've
> seen some crude patches that allow you to put a /. in the home directory specified
> in /etc/passwd, but these are specific to versions of the "portable" OpenSSH
> and none of the diffs seem to match FreeBSD's files exactly.
Is there something wrong with using the scponly shell for the users?
It is available in ports and at http://www.sublimation.org/scponly/
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Stewie: You know, I rather like this God fellow. Very theatrical,
you know. Pestilence here, a plague there. Omnipotence
...gotta get me some of that.
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"