[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: restricting sftp/ssh login access

On Mon, Jun 28, 2004 at 08:21:31PM +0200, Robert Cates wrote:
>I don't exactly like the idea of having to setup a "mini-system" in
>everybodies home dir, so maybe the Jailkit will be the answer.(?)  Somehow
>I'm a little surprised that the OpenSSH project hasn't provided this feature
>in SSH and sftp that I'm looking for.  Maybe somebody knows the reason why?
>I think my next e-mail will be to the OpenSSH project ;-)

proftp will allow chroot access to each users home dir.

you can do that and/or give ssh/sftp restricted access with group

all remote ssh/sftp users get a gid of 'jail' then all directories and
executables they cannot have access to get set gid 'jail' with mode 705,
individual no access files get gid 'jail' with mode 604.

Then they can use regular system files to login etc but when they try to
access /usr/sbin or some files in /usr/bin as gid 'jail' they are denied
access because mode 705 blocks members of the group but not the User and
Other permissions, so regular system operations work.

I just made that up. There will probably be some quirks to work out, I
would suggest making a script to backup existing modes/gid and restore
custom or default perms. 'id' and 'find -printf' are your friends.

// George

George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/  cell:646-331-2027  mailto:george@galis.org
Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631

Reply to: