Chroot/jail mechanism in ssh and sftp connections
Derek Ragona
derek at computinginnovations.com
Wed Apr 11 16:38:11 UTC 2007
At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>Thanks for the suggestion. I intend to study about this possible solution
>but to save time I'd
>like to ask you some questions.
>
>With this software, can I control which accounts "from the unix passwd
>file" will be able to log in?
Yes just set the shell to a non-login shell for users you don't want to
give shell access. Typically I set those user's shell to:
/usr/bin/false
>If there is a symbolic link in the home directory(jail/chroot) that point
>to anywhere out of it,
>will the users be able to use this symlink? Will they go out from their
>jail/chroot directory this
>way?
You can actually specify what ftp commands are allowed in the vsftpd.conf file
in one server I manage I have set:
cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT
But you'd probably want to remove any symlinks that shouldn't be there.
>Derek Ragona wrote:
> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
> >>Hello,
> >>I want to use the chroot/jail mechanism in user's ssh and sftp
> >>connections. I've read some
> >>tutorials and possible solutions to jail/chroot the users into their
> own home directories. One
>is
> >>to install the openssh-portable(with chroot option turned on) from the
> ports collection. I've
>installed the openssh-portable, but the jail/chroot mechanism didn't work.
>I think it requires
>some configuration in its sshd_config file, but I'm not sure because I
>have found nothing about
>jail/chroot in the openssh(sshd_config) man pages.
> >
> > I have implemented a similar setup using vsftpd from the ports. It
> works well for secure ftp
>when used with the filezilla client. You can limit the ftp command in the
>vsftpd configuration
>file so users cannot get out of their home directories, which chroots them
>there. You do need to
>add one thing to the accounts, which is to change their home directory in
>/etc/passwd adding an
>additional dot. For instance if a users home directory is:
> > /home/user
> >
> > You'd need to change it to:
> > /home/./user
> >
> > vsftpd is well documented and relatively easy to get setup and running.
> >
> > -Derek
> >
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the freebsd-questions
mailing list