[gentoo-user] Setting up sftp and user permissions
Hi All, I have a desktop box which I am starting to use as a LAN server. I created a new user and noticed that: a) The new user is asked to login with passwd as opposed to pubkey. This is surprising as (I thought) that I had set up sshd_config to allow pubkey authentication only - need to check this again when I get home. Other than a misconfigured sshd_config could it be anything else that causes this? b) Once logged in via sftp the new user can read and access other users files. This is because the default permission setting for /home/%u/ is 0644 (rw-r--r--). Is there a clever way of tightening this down without messing up all home file and directory permissions indiscriminately? I understand that there are many ways to skin a cat - in this case to contain somewhat what a plain user can and cannot do when they log in via sftp. Some ideas that I have across are to use a limited shell like rssh, use an ssh chroot, modify the umask for user directories. I am interested to find out what you might have tried and what you would recommend. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Setting up sftp and user permissions
a) The new user is asked to login with passwd as opposed to pubkey. This is surprising as (I thought) that I had set up sshd_config to allow pubkey authentication only - need to check this again when I get home. Other than a misconfigured sshd_config could it be anything else that causes this? If you want to disable password based logons, and only use shared keys, then change UsePAM yes to UsePAM no. b) Once logged in via sftp the new user can read and access other users files. This is because the default permission setting for /home/%u/ is 0644 (rw-r--r--). Is there a clever way of tightening this down without messing up all home file and directory permissions indiscriminately? chmod 700 /home/* I understand that there are many ways to skin a cat - in this case to contain somewhat what a plain user can and cannot do when they log in via sftp. Some ideas that I have across are to use a limited shell like rssh, use an ssh chroot, modify the umask for user directories. I am interested to find out what you might have tried and what you would recommend. If you're that worried about them having shell access, then don't use sftp. Use encrypted ftp (ftp + tls ... pureftpd provides this) for file transfers, or even webdav over https. -Sean -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Setting up sftp and user permissions
Mick writes: I understand that there are many ways to skin a cat - in this case to contain somewhat what a plain user can and cannot do when they log in via sftp. Some ideas that I have across are to use a limited shell like rssh, use an ssh chroot, modify the umask for user directories. I am using net-misc/scponly, a tiny pseudoshell which only permits scp and sftp. http://www.sublimation.org/scponly/ Alex -- [EMAIL PROTECTED] mailing list