chroot SSH users.
krad
kraduk at googlemail.com
Sun Dec 27 17:16:56 UTC 2009
2009/12/27 Marwan Sultan <dead_line at hotmail.com>
>
> Hello people,
>
>
>
> Im on FreeBSD 7.2-R P5
>
>
>
> Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes the
> job easy.
>
>
>
> How about if I want to chroot the SSH users (not ftp)
>
> any easy way? no need for jail installation or anything like this..
>
>
>
> I saw sshd_config file and it has a chrootdirectory but not sure how to
> use it..
>
>
>
> Anyone? any tips? any easy way?
>
>
>
> Thank you
>
>
>
> -Marwan
>
> _________________________________________________________________
> Hotmail: Free, trusted and rich email service.
>
> http://clk.atdmt.com/GBL/go/171222984/direct/01/_______________________________________________
> freebsd-questions at freebsd.org<http://clk.atdmt.com/GBL/go/171222984/direct/01/_______________________________________________%0Afreebsd-questions@freebsd.org>mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
fairly easy if you read the man page 8) I wrote this howto for sun boxes at
work but it was using openssh so same rules should apply. Make sure chroot
support was compiled in though
1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
10 are bundled with openssh though.
2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
3. Add these lines to sshd config
Match Group sftponly
ChrootDirectory /home/chroot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
4. Make sure the Subsystem line is this
Subsystem sftp internal-sftp
5. create the sftponly group on the system
6. put the relevent users in this group. be careful as you will stop them
being able to ssh in!!
7. Dead important this bit !!!
mkdir -p /home/chroot/<user>/home/<user>/.ssh
chown -R root /home/chroot/<user>
chown -R <user> /home/chroot/<user>
chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user>
ln -s /home/chroot/<user>/home/<user> /home/.
8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh
All should now work
If not check /etc/shadow the account might be locked, this just caught me
out :)
More information about the freebsd-questions
mailing list