Chroot/jail mechanism in ssh and sftp connections
Thiago Esteves de Oliveira
thiago at lamce.coppe.ufrj.edu.br
Wed Apr 11 18:12:48 UTC 2007
Thanks, I think this is the solution for the sftp connections using jail/chroot mechanism.
Derek Ragona wrote:
> At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>>Thanks for the suggestion. I intend to study about this possible solution
>>but to save time I'd
>>like to ask you some questions.
>>
>>With this software, can I control which accounts "from the unix passwd
>>file" will be able to log in?
>
> Yes just set the shell to a non-login shell for users you don't want to
> give shell access. Typically I set those user's shell to:
> /usr/bin/false
>
>
>>If there is a symbolic link in the home directory(jail/chroot) that points
>>to anywhere out of it,
>>will the users be able to use this symlink? Will they go out from their
>>jail/chroot directory this
>>way?
>
> You can actually specify what ftp commands are allowed in the vsftpd.conf file
> in one server I manage I have set:
> cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT
>
> But you'd probably want to remove any symlinks that shouldn't be there.
>
>
>>Derek Ragona wrote:
>> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
>> >>Hello,
>> >>I want to use the chroot/jail mechanism in user's ssh and sftp
>> >>connections. I've read some
>> >>tutorials and possible solutions to jail/chroot the users into their
>> own home directories. One
>>is
>> >>to install the openssh-portable(with chroot option turned on) from the
>> ports collection. I've
>>installed the openssh-portable, but the jail/chroot mechanism didn't work.
>>I think it requires
>>some configuration in its sshd_config file, but I'm not sure because I
>>have found nothing about
>>jail/chroot in the openssh(sshd_config) man pages.
>> >
>> > I have implemented a similar setup using vsftpd from the ports. It
>> works well for secure ftp
>>when used with the filezilla client. You can limit the ftp command in the
>>vsftpd configuration
>>file so users cannot get out of their home directories, which chroots them
>>there. You do need to
>>add one thing to the accounts, which is to change their home directory in
>>/etc/passwd adding an
>>additional dot. For instance if a users home directory is:
>> > /home/user
>> >
>> > You'd need to change it to:
>> > /home/./user
>> >
>> > vsftpd is well documented and relatively easy to get setup and running.
>> >
>> > -Derek
More information about the freebsd-questions
mailing list