Chroot/jail mechanism in ssh and sftp connections

Derek Ragona derek at computinginnovations.com
Wed Apr 11 16:38:11 UTC 2007


At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote:
>Thanks for the suggestion. I intend to study about this possible solution 
>but to save time I'd
>like to ask you some questions.
>
>With this software, can I control which accounts "from the unix passwd 
>file" will be able to log in?

Yes just set the shell to a non-login shell for users you don't want to 
give shell access.  Typically I set those user's shell to:
/usr/bin/false


>If there is a symbolic link in the home directory(jail/chroot) that point 
>to anywhere out of it,
>will the users be able to use this symlink? Will they go out from their 
>jail/chroot directory this
>way?

You can actually specify what ftp commands are allowed in the vsftpd.conf file
in one server I manage I have set:
cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT

But you'd probably want to remove any symlinks that shouldn't be there.


>Derek Ragona wrote:
> > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
> >>Hello,
> >>I want to use the chroot/jail mechanism in user's ssh and sftp
> >>connections. I've read some
> >>tutorials and possible solutions to jail/chroot the users into their 
> own home directories. One
>is
> >>to install the openssh-portable(with chroot option turned on) from the 
> ports collection. I've
>installed the openssh-portable, but the jail/chroot mechanism didn't work. 
>I think it requires
>some configuration in its sshd_config file, but I'm not sure because I 
>have found nothing about
>jail/chroot in the openssh(sshd_config) man pages.
> >
> > I have implemented a similar setup using vsftpd from the ports.  It 
> works well for secure ftp
>when used with the filezilla client.  You can limit the ftp command in the 
>vsftpd configuration
>file so users cannot get out of their home directories, which chroots them 
>there.  You do need to
>add one thing to the accounts, which is to change their home directory in 
>/etc/passwd adding an
>additional dot.  For instance if a users home directory is:
> > /home/user
> >
> > You'd need to change it to:
> > /home/./user
> >
> > vsftpd is well documented and relatively easy to get setup and running.
> >
> >          -Derek
> >

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.



More information about the freebsd-questions mailing list