Re: SSH access restrictions

To: debian-isp@lists.debian.org
Subject: Re: SSH access restrictions
From: Marc Schiffbauer <marc@schiffbauer.net>
Date: Mon, 20 Oct 2003 09:26:46 +0200
Message-id: <[🔎] 20031020072646.GD7508@lisa>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 20031019023046.M99042@oasis.net.au>
References: <[🔎] 3F9095FF.4050202@oasis.net.au> <[🔎] 20031018122423.GC20123@lisa> <[🔎] 20031019023046.M99042@oasis.net.au>

* Rudi Starcevic schrieb am 19.10.03 um 04:30 Uhr:
> Thanks Marc,
> 
> Thanks also to Russel.
> 
> > I did it with pam_chroot which is really nice
> 
> Great - I'll start looking here.
> 
> Currently we only really offer FTP access but would like
> to include SSH access too.
> 
> I know with the right permissions a user account cannot do
> any damage but I would just like to prevent these people from
> snooping around.
> 
> I want to allow users to be able to SSH in and use things
> like Postgresql, mysql and cron but not read /etc/passwd or 
> /etc/mail/virtusertable etc. etc.
> 

Rudi,

additionally you may want to use the grsecurity Kernelpatch which
makes chroot() environments a lot more secure. Without this patch it
is not too difficult to break out of a chroot.

-Marc

-- 
BUGS My programs  never  have  bugs.  They  just  develop  random
     features.  If you discover such a feature and you want it to
     be removed: please send an email to bug at links2linux.de

Reply to:

Follow-Ups:
- Re: SSH access restrictions
  - From: Rudi Starcevic <rudi@oasis.net.au>

References:
- SSH access restrictions
  - From: Rudi Starcevic <rudi@oasis.net.au>
- Re: SSH access restrictions
  - From: Marc Schiffbauer <marc@schiffbauer.net>
- Re: SSH access restrictions
  - From: "Rudi Starcevic" <rudi@oasis.net.au>

Prev by Date: Re: How to investigate kernel failure?
Next by Date: Re: ..802.11 wifi signal noise investigation tools?
Previous by thread: Re: SSH access restrictions
Next by thread: Re: SSH access restrictions
Index(es):
- Date
- Thread