security/openssh-portable
Jerry McAllister
jerrymc at msu.edu
Tue Mar 11 22:18:34 UTC 2008
On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci wrote:
> Hi,
>
> I'm setting up a 'chrooted' SFTP only set of users:
>
> /etc/make.conf:
> .if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
> WITH_SUID_SSH =yes
> WITH_OPENSSH_CHROOT =yes
> WITH_HPN =yes
> WITH_OVERWRITE_BASE =yes
> .endif
>
> /etc/rc.conf:
> sshd_enable="NO"
> openssh_enable="YES"
>
> /etc/passwd:
> user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh
>
> Access will be with ssh dsa keys only.
>
> What is the best way to make this SFTP only and not SSH?
> 1).ssh/authorization?
> 2) change user's shell to /usr/local/libexec/sftp-server
> 3) change user's shell to a custom C wrapper around [2]
> 4) a combination of them
The usual thing is make the shell /bin/nologin
////jerry
>
> --
> ------------------------------------------------------------------------
> Philip M. Gollucci (philip at ridecharge.com)
> o:703.549.2050x206
> Senior System Admin - Riderway, Inc.
> http://riderway.com / http://ridecharge.com
> 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF
>
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list