Re: [off-topic?] Chrooting ssh/telnet users?
On Fri, 26 Oct 2001, Rishi L Khan wrote:
> Set the shell for the user in /etc/passwd to a script that chroots and
> then spawns a shell.
That is very difficult to do. Chroot can only be run by root.
> On Fri, 26 Oct 2001, Javier [iso-8859-1] Fernández-Sanguino Peña wrote:
> > I have been asked for this and I was trying to figure out how to do it
> > (would document it later on in the Securing-Debian-Manual). So please,
> > excuse me if you feel this is off-topic.
> > The problem is, how can an admin restrict remote access from a given user
> > (through telnet and/or sshd) in order to limit his "moves" inside the
> > operating system.
> > Chrooting the daemon is a possibility, but it's not tailored in a per-user
> > basis but globally to all users (besides you need all the tools that users
> > might want to use in the jail). I'm looking more into a jailed enviroment
> > like proftpd's when you sed "DefaultRoot ~" (jails the user into his home
> > directory but he's able to use all commands, without having to setup all
> > the libraries in it).
> > AFAIK, pam only allows to limit some user accesses (cores, memory
> > limits..) not users "movement" in the OS