Re: SSH access restrictions

[Rudi Starcevic <rudi@oasis.net.au>]

Marc,

Thanks.

http://www.grsecurity.net looks very interesting.

Another couple of jobs have popped up which I need to address first
so I don't tihink I'll be working on this 'til later in the week.

When I do I'll be sure to post an update to the list.

Many thanks to you all.
It would not be possible to come this far on my own without this list's 
assistance/advice.

Best regards
Rudi.


Marc Schiffbauer wrote:

> * Rudi Starcevic schrieb am 19.10.03 um 04:30 Uhr:
>  
>
> > Thanks Marc,
> >
> > Thanks also to Russel.
> >
> >    
> >
> > > I did it with pam_chroot which is really nice
> > >      
> > Great - I'll start looking here.
> >
> > Currently we only really offer FTP access but would like
> > to include SSH access too.
> >
> > I know with the right permissions a user account cannot do
> > any damage but I would just like to prevent these people from
> > snooping around.
> >
> > I want to allow users to be able to SSH in and use things
> > like Postgresql, mysql and cron but not read /etc/passwd or 
> > /etc/mail/virtusertable etc. etc.
> >
> >    
>
> Rudi,
>
> additionally you may want to use the grsecurity Kernelpatch which
> makes chroot() environments a lot more secure. Without this patch it
> is not too difficult to break out of a chroot.
>
> -Marc
>
>