Re: restricting sftp/ssh login access
On Mon, Jun 28, 2004 at 08:21:31PM +0200, Robert Cates wrote:
>I don't exactly like the idea of having to setup a "mini-system" in
>everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow
>I'm a little surprised that the OpenSSH project hasn't provided this feature
>in SSH and sftp that I'm looking for. Maybe somebody knows the reason why?
>I think my next e-mail will be to the OpenSSH project ;-)
proftp will allow chroot access to each users home dir.
you can do that and/or give ssh/sftp restricted access with group
all remote ssh/sftp users get a gid of 'jail' then all directories and
executables they cannot have access to get set gid 'jail' with mode 705,
individual no access files get gid 'jail' with mode 604.
Then they can use regular system files to login etc but when they try to
access /usr/sbin or some files in /usr/bin as gid 'jail' they are denied
access because mode 705 blocks members of the group but not the User and
Other permissions, so regular system operations work.
I just made that up. There will probably be some quirks to work out, I
would suggest making a script to backup existing modes/gid and restore
custom or default perms. 'id' and 'find -printf' are your friends.
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:email@example.com
Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631