Re: Restrict SSH users to home directory

From: Richard E. Silverman (slade@shore.net)
Date: 12/20/02

• Next message: Richard E. Silverman: "Re: hostbased auth between commercial and OpenSSH"
• Previous message: Hector: "Restrict SSH users to home directory"
• In reply to: Hector: "Restrict SSH users to home directory"
• Next in thread: Nico Kadel-Garcia: "Re: Restrict SSH users to home directory"
• Reply: Nico Kadel-Garcia: "Re: Restrict SSH users to home directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: slade@shore.net (Richard E. Silverman)
Date: 19 Dec 2002 23:15:10 -0500

>>>>> "H" == Hector <joeblow@yahoo.com> writes:

    H> When I try to change the read/write/execute permissions in the
    H> filesystem to make them inaccessable, the user can't login
    H> (obviously because they don't have permission to read/execute
    H> openSSH).

No, this is not obvious; OpenSSH is already running. More likely it's
that it can't run the users shell, or some other critical thing.

It's a Unix box. If you "restrict" someone to their home directory, how
do you expect them to *do* anything? Run a shell? Run "ls"? Run any
program that depends on shared libraries, or needs /dev/zero to map a page
into memory? Etc. You *want* everyone to have access to some things.
Just maintain the permissions on those things you don't want people to
access.

Your other choice is to create a chroot cage for every user -- and then
deal with having to change all the cages every time you discover one more
thing that your users need to do.

-- 
  Richard Silverman
  slade@shore.net

• Next message: Richard E. Silverman: "Re: hostbased auth between commercial and OpenSSH"
• Previous message: Hector: "Restrict SSH users to home directory"
• In reply to: Hector: "Restrict SSH users to home directory"
• Next in thread: Nico Kadel-Garcia: "Re: Restrict SSH users to home directory"
• Reply: Nico Kadel-Garcia: "Re: Restrict SSH users to home directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [RFC][PATCH 0/9] Network receive deadlock prevention for NBD ... openssh or some other priveledge separation protocol to the machine due ... if there is any remote management that we absolutely require to be ... the time being since we don't actually know of any such mandatory login ... unix sockets require page sized allocation frequently which will endup ... (Linux-Kernel) Re: Upcoming OpenSSH vulnerability ... openssh that do not have privelege seperation. ... Theo de Raadt claims there is a potential remote root hole ... seems very likely that it would NOT require a valid login to exploit, ... (comp.security.ssh) Re: Upcoming OpenSSH vulnerability ... openssh that do not have privelege seperation. ... Theo de Raadt claims there is a potential remote root hole ... seems very likely that it would NOT require a valid login to exploit, ... (comp.security.ssh) Expired password, openssh not invoking password change. ... We have an OpenLDAP backend for user authentication and everything is ... When I attempt to login I get this: ... You are required to change your LDAP password immediately. ... OpenSSH isn't calling the passwd application when the users password is ... (comp.security.ssh) Signal 1, Name stays on "who" list under Linux ... I'm not too sure if this is off topic, it might be a bug in sshd which is ... OpenSSH v3.4p1, SSH protocols 1.5/2.0 ... 1> connect to the linux box via SSH client and login as any user ... To get past step 2 you have to enter root password, ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint