chroot-ing users coming in via SSH and/or SFTP?
Nigel Houghton
nigel at sourcefire.com
Mon Dec 20 13:27:26 PST 2004
On 0, Brett Glass <brett at lariat.org> allegedly wrote:
> A client wants me to set up a mechanism whereby his customers can drop files
> securely into directories on his FreeBSD server; he also wants them to be
> able to retrieve files if needed. The server is already running OpenSSH,
> and he himself is using Windows clients (TeraTerm and WinSCP) to access it,
> so the logical thing to do seems to be to have his clients send and receive
> files via SFTP or SCP.
>
> The users depositing files on the server shouldn't be allowed to see what
> one another are doing or to grope around on the system, so it'd be a good
> idea to chroot them into home directories, as is commonly done with FTP.
>
> However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a
> mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a
> specific directory. What is the most effective and elegant way to do this? I've
> seen some crude patches that allow you to put a /. in the home directory specified
> in /etc/passwd, but these are specific to versions of the "portable" OpenSSH
> and none of the diffs seem to match FreeBSD's files exactly.
>
> --Brett
Is there something wrong with using the scponly shell for the users?
It is available in ports and at http://www.sublimation.org/scponly/
+-----------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Stewie: You know, I rather like this God fellow. Very theatrical,
you know. Pestilence here, a plague there. Omnipotence
...gotta get me some of that.
More information about the freebsd-security
mailing list