RE: restricting sftp/ssh login access
The cleanest way I have found was using rssh. All you do is change the
shell to /usr/bin/rssh. The only issue I have with it is that to jail them
to their home directory you need a separate chroot for each folder of the
following. I jailed the /home folder and thus only need one jail, if you
want each user to be jailed to ~/ as / then you need a separate jail for
each user through copying or linking the files.
Ehren Wilson
jail components:
./etc
./etc/ld.so.cache
./etc/ld.so.conf
./usr
./usr/bin
./usr/bin/scp
./usr/lib
./usr/lib/i686
./usr/lib/i686/cmov
./usr/lib/i686/cmov/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/rssh
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/sftp-server
> -----Original Message-----
> From: Robert Cates [mailto:robert@kormar.de]
> Sent: Monday, June 28, 2004 11:54 AM
> To: debian-isp@lists.debian.org
> Cc: Andreas John; MB; hiren@obsidian.co.za
> Subject: Re: restricting sftp/ssh login access
>
>
> Hi, and thanks for the quick replies!
> Just to be a bit clearer in what I'm asking: I would like to be able to
> allow my customers to access their accounts (update their web sites) with
> sftp which as I understand it is an extention to (Open)SSH, and
> not FTP. I
> know for example that the Windows application - WS_FTP Pro - has an option
> to use sftp/ssh on port 22 and when I tested it, I landed way up at root
> "/". So, I'd like to be able to allow secure access, but with an
> ftp client
> like WS_FTP Pro using sftp, and not a Secure SHell. I have my
> server setup
> so that the customer can use SSH to change their password, and that's all
> they can do with SSH.
>
> Is there nothing in the ssh_config or sshd_config which can be set to
> restrict sftp access to a designated directory?
>
> It seems to me that the patched OpenSSH way that Hiren pointed out is
> workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm
> open to other maybe better ways.
>
> Thanks again,
> Robert
> ----- Original Message -----
> From: "MB" <sparkynine@yahoo.com>
> To: "Andreas John" <aj@net-lab.net>
> Cc: <debian-isp@lists.debian.org>
> Sent: Monday, June 28, 2004 6:47 PM
> Subject: Re: restricting sftp/ssh login access
>
>
> > John,
> >
> > First off, I make a small mistake, the package I used was "jailkit",
> > from either:
> >
> > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
> > or
> > http://freshmeat.net/projects/jailkit/
> >
> > It has tons of documentation to help you create a jailed environment,
> > including loading your jail with whatever executables needed.
> >
> > Looks like I simplified my script to one line:
> >
> > -----------------------
> > #!/bin/bash
> >
> > /usr/sbin/jk_socketd
> > ------------------------
> >
> > This produces a group of daemonized processes:
> > nobody 13659 13658 0 Apr18 ? 00:00:00 [jk_socketd]
> >
> >
> > but I think that I had a much more elaborate script to
> > {start|stop|restart} this daemon, something like:
> >
> >
> > /etc/init.d/chroot_jail
> > ------------------------
> > #!/bin/bash
> >
> > case "$1" in
> > start)
> > echo -n "Starting Chroot Jail Server: chroot jail"
> > start-stop-daemon --start --quiet --pidfile
> > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> > echo "."
> > ;;
> > stop)
> > echo -n "Stopping Chroot Jail Server: chroot jail"
> > start-stop-daemon --stop --quiet --oknodo --pidfile
> > /var/run/jk_socketd.pid
> > echo "."
> > ;;
> >
> > restart)
> > echo -n "Restarting Chroot Jail Server: chroot jail"
> > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
> > /var/run/jk_socketd.pid
> > start-stop-daemon --start --quiet --pidfile
> > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> > echo "."
> > ;;
> >
> > *)
> > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}"
> > exit 1
> > esac
> >
> > exit 0
> > ---------------------------------------
> >
> >
> > Mark
> >
> >
> > --- Andreas John <aj@net-lab.net> wrote:
> > > Hi Mark!
> > >
> > > > You will need to run a special daemon (jk_socketd) to log users
> > > into the
> > > > jail, but that is about the hardest part. I'll post my startup
> > > script
> > > > if you would like.
> > >
> > > Do I need the ssh-patch if I run this jk_socketd? Does it replace
> > > that
> > > patch? It's pain in the ass to maintain an ssh package that is
> > > seperate
> > > from the debian tree.
> > >
> > > And yes - please post me that startup-script. Would be nice.
> > >
> > > Best regards and many pengiuns,
> > > Andreas
> > >
> > >
> > > --
> > > Andreas John
> > > net-lab GmbH
> > > Luisenstrasse 30b
> > > 63067 Offenbach
> > > Tel: +49 69 85700331
> > >
> > > http://www.net-lab.net
> > >
Reply to: