Chroot/jail mechanism in ssh and sftp connections
derek at computinginnovations.com
Wed Apr 11 16:38:11 UTC 2007
At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>Thanks for the suggestion. I intend to study about this possible solution
>but to save time I'd
>like to ask you some questions.
>With this software, can I control which accounts "from the unix passwd
>file" will be able to log in?
Yes just set the shell to a non-login shell for users you don't want to
give shell access. Typically I set those user's shell to:
>If there is a symbolic link in the home directory(jail/chroot) that point
>to anywhere out of it,
>will the users be able to use this symlink? Will they go out from their
>jail/chroot directory this
You can actually specify what ftp commands are allowed in the vsftpd.conf file
in one server I manage I have set:
But you'd probably want to remove any symlinks that shouldn't be there.
>Derek Ragona wrote:
> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
> >>I want to use the chroot/jail mechanism in user's ssh and sftp
> >>connections. I've read some
> >>tutorials and possible solutions to jail/chroot the users into their
> own home directories. One
> >>to install the openssh-portable(with chroot option turned on) from the
> ports collection. I've
>installed the openssh-portable, but the jail/chroot mechanism didn't work.
>I think it requires
>some configuration in its sshd_config file, but I'm not sure because I
>have found nothing about
>jail/chroot in the openssh(sshd_config) man pages.
> > I have implemented a similar setup using vsftpd from the ports. It
> works well for secure ftp
>when used with the filezilla client. You can limit the ftp command in the
>file so users cannot get out of their home directories, which chroots them
>there. You do need to
>add one thing to the accounts, which is to change their home directory in
>/etc/passwd adding an
>additional dot. For instance if a users home directory is:
> > /home/user
> > You'd need to change it to:
> > /home/./user
> > vsftpd is well documented and relatively easy to get setup and running.
> > -Derek
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the freebsd-questions