Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies!
Just to be a bit clearer in what I'm asking: I would like to be able to
allow my customers to access their accounts (update their web sites) with
sftp which as I understand it is an extention to (Open)SSH, and not FTP. I
know for example that the Windows application - WS_FTP Pro - has an option
to use sftp/ssh on port 22 and when I tested it, I landed way up at root
"/". So, I'd like to be able to allow secure access, but with an ftp client
like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup
so that the customer can use SSH to change their password, and that's all
they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to
restrict sftp access to a designated directory?
It seems to me that the patched OpenSSH way that Hiren pointed out is
workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
open to other maybe better ways.
Thanks again,
Robert
----- Original Message -----
From: "MB" <sparkynine@yahoo.com>
To: "Andreas John" <aj@net-lab.net>
Cc: <debian-isp@lists.debian.org>
Sent: Monday, June 28, 2004 6:47 PM
Subject: Re: restricting sftp/ssh login access
> John,
>
> First off, I make a small mistake, the package I used was "jailkit",
> from either:
>
> http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
> or
> http://freshmeat.net/projects/jailkit/
>
> It has tons of documentation to help you create a jailed environment,
> including loading your jail with whatever executables needed.
>
> Looks like I simplified my script to one line:
>
> -----------------------
> #!/bin/bash
>
> /usr/sbin/jk_socketd
> ------------------------
>
> This produces a group of daemonized processes:
> nobody 13659 13658 0 Apr18 ? 00:00:00 [jk_socketd]
>
>
> but I think that I had a much more elaborate script to
> {start|stop|restart} this daemon, something like:
>
>
> /etc/init.d/chroot_jail
> ------------------------
> #!/bin/bash
>
> case "$1" in
> start)
> echo -n "Starting Chroot Jail Server: chroot jail"
> start-stop-daemon --start --quiet --pidfile
> /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> echo "."
> ;;
> stop)
> echo -n "Stopping Chroot Jail Server: chroot jail"
> start-stop-daemon --stop --quiet --oknodo --pidfile
> /var/run/jk_socketd.pid
> echo "."
> ;;
>
> restart)
> echo -n "Restarting Chroot Jail Server: chroot jail"
> start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
> /var/run/jk_socketd.pid
> start-stop-daemon --start --quiet --pidfile
> /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> echo "."
> ;;
>
> *)
> echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}"
> exit 1
> esac
>
> exit 0
> ---------------------------------------
>
>
> Mark
>
>
> --- Andreas John <aj@net-lab.net> wrote:
> > Hi Mark!
> >
> > > You will need to run a special daemon (jk_socketd) to log users
> > into the
> > > jail, but that is about the hardest part. I'll post my startup
> > script
> > > if you would like.
> >
> > Do I need the ssh-patch if I run this jk_socketd? Does it replace
> > that
> > patch? It's pain in the ass to maintain an ssh package that is
> > seperate
> > from the debian tree.
> >
> > And yes - please post me that startup-script. Would be nice.
> >
> > Best regards and many pengiuns,
> > Andreas
> >
> >
> > --
> > Andreas John
> > net-lab GmbH
> > Luisenstrasse 30b
> > 63067 Offenbach
> > Tel: +49 69 85700331
> >
> > http://www.net-lab.net
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: