RE: restricting sftp/ssh login access

To: "Robert Cates" <robert@kormar.de>, <debian-isp@lists.debian.org>
Subject: RE: restricting sftp/ssh login access
From: "Ehren Wilson" <ewilson@echostar.ca>
Date: Mon, 28 Jun 2004 14:57:54 -0600
Message-id: <[🔎] NFBBKACNPBMJOOINNINBIEOEBOAB.ewilson@echostar.ca>
In-reply-to: <[🔎] 005201c45d3c$bd33b540$0d01a8c0@kormar.net>

Robert,

There has been extensive discussion on this topic on the ssh mailing lists.
Before going on the list I would highly recommend reading up as this is a
fairly common topic and the developers have basically said they won't
provide this functionality, it is something that belongs in the OS or shell.
If you want it in ssh you can use the third party patch.

I personally like the way the proftpd jails work, but I do agree with the
ssh developers that a chroot is not a real security method, more of a file
system abstraction in my opinion.  My more oblivious users find it
convenient but most of them wouldn't be using sftp anyways.

Cheers,

Ehren Wilson

> -----Original Message-----
> From: Robert Cates [mailto:robert@kormar.de]
> Sent: Monday, June 28, 2004 12:22 PM
> To: debian-isp@lists.debian.org
> Cc: Andreas John
> Subject: Re: restricting sftp/ssh login access
>
>
> Hi,
>
> I don't exactly like the idea of having to setup a "mini-system" in
> everybodies home dir, so maybe the Jailkit will be the answer.(?)  Somehow
> I'm a little surprised that the OpenSSH project hasn't provided
> this feature
> in SSH and sftp that I'm looking for.  Maybe somebody knows the
> reason why?
> I think my next e-mail will be to the OpenSSH project ;-)
>
> Thanks,
> Robert
> ----- Original Message -----
> From: "Andreas John" <lists@aj.net-lab.net>
> To: <debian-isp@lists.debian.org>
> Cc: "Robert Cates" <robert@kormar.de>
> Sent: Monday, June 28, 2004 2:28 PM
> Subject: Re: restricting sftp/ssh login access
>
>
> > Hi!
> >
> > 1.) Set users shell to /bin/false and add it to /etc/shells.
> > This will prevent ssh access for users, but allows ftp etc.
> >
> > But what you are asking for is that (I think)
> > 2.) http://chrootssh.sourceforge.net/index.php
> > Chroot your ssh for non-admin users by
> >   - patching ssh
> >   - replacing Users homedir from /home/username/ to /home/username/./
> >     (sshd recognizes "/./" at the end of the homedir and
> chroots that user
> >   - build a "mini-system" in users homedir (necessary!). I played around
> > with that but had not much success because I don't want to set up a
> > *real* whole system for every user, because I would run in "apt-ing"
> > probs. I had a look at busybox, which could solve that problem.
> > If anyone knows how this works (login-shell with busybox-static + basic
> > commands) please write a howto for me ;) !
> >
> > rgds,
> > Andreas
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
>
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>

Reply to:

References:
- Re: restricting sftp/ssh login access
  - From: "Robert Cates" <robert@kormar.de>

Prev by Date: Re: nat ipchains on debian woody
Next by Date: Re: nat ipchains on debian woody
Previous by thread: Re: restricting sftp/ssh login access
Next by thread: Re: restricting sftp/ssh login access
Index(es):
- Date
- Thread