Limitting SSH access

Chris Rees utisoft at gmail.com
Wed May 4 15:47:35 UTC 2011 

On 4 May 2011 16:27, "krad" <kraduk at gmail.com> wrote:
>
> On 4 May 2011 12:47, Balázs Mátéffy <repcsike at gmail.com> wrote:
>
> > On 4 May 2011 13:35, Matthew Seaman <m.seaman at infracaninophile.co.uk>
> > wrote:
> >
> > > On 04/05/2011 10:08, Jack Raats wrote:
> > > > I have a question concerning SSH op a FreeBSD 7.4-STABLE server.
> > > >
> > > > Is it possible to limit the SSH access?
> > > > I want t o restrict a user to his own home directory.
> > > > So that if he connects to the server with SSH he only can go to his
own
> > > home dir.
> > > > Also the same for sftp...
> > > >
> > >
> > > I believe you will need to install a version of OpenSSH from ports to
> > > get that functionality.  It's the CHROOT config option in
> > > security/openssh-portable
> > >
> > >        Cheers
> > >
> > >        Matthew
> > >
> > > --
> > > Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
> > >                                                  Flat 3
> > > PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> > > JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
> > >
> > >
> > Hello,
> >
> > It should work with the base openssh on 7.4. Check your version with
sshd
> > -v.
> > Here, search for chroot(or use google :)):
> > http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5
> >
> > Regarding ssh login, I usually use "rbash" from the ports, that
restricts
> > the user from leaving his or her home directory!
> >
> > Regards,
> >
> > Balazs Mateffy.
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> > freebsd-questions-unsubscribe at freebsd.org"
> >
>
> if you want them to be able to get a shell ether then sftp prompt then you
> will have to go for the rbash option. If you chroot the shell to their
home
> dir they wont have access to any system binaries so wont be able to 'ls'
for
> example.
>
> Having said that you could build a tree of all the binaries they need
along
> with all the dependent libraries. This would get a bit cumbersome and
> wasteful of disk space for lots of users though. You might be better off
> with jails.
>

Or you could have a special /bin-restricted that you nullfs mount into
~userN/bin.

Chris

More information about the freebsd-questions mailing list