I use the OpenSSH user chroot patch, here:
http://sourceforge.net/projects/chrootssh/
and it works like a charm. It uses a magic token in the users home dir path
in passwd - so users home dirs become:
/path/to/chroot/base/./path/to/user/home
We combine it with the 'scponly' shell to provide scp upload services for
1400+ students on a web server, chrooted into the base home dir to keep them
from wandering around in the system.
It's relatively painless to set up the chroot env in this way - users can only
ever see other user data, and we control that with file permissions
and posix ACLs. Chroot gets a little less attractive if you want every user in
their own individual jail.
-m
On Wed, Apr 14, 2004 at 08:30:27AM -0700, Fargusson.Alan wrote:
> Restricting the cd command isn't that useful, since it does not prevent the user
> from accessing any files by specifying the full pathname. I have found that users
> get around the restricted shell environments, so I don't use them. What works best
> for me is to make sure that all the file permissions are set up so only the users I
> want to access a file can access it.
>
> It sounds like a chrooted environment is what you are looking for. I have found
> this to be more work that it is worth for me.
>
> -----Original Message-----
> From: Monteleone [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 14, 2004 3:18 AM
> To: [EMAIL PROTECTED]
> Subject: SSH limited access
>
>
> Hello,
>
> Is there a way to limit a user access thru SSH to his home directory ?
>
> I just want to give him the possibility to do a CD on his
> subdirectories.
>
> I saw something about rbash and think the only solution I can test is
> around chroot'ed environment (jail package).
>
> Any idea ?
>
> Thanks for your help.
>
> Gerard MONTELEONE
> Ingenieur Systeme & Reseau
> SI.TE.C Z.I du vazzio 20090 AJACCIO
> * +33495236809 * +33687727032
> www.sitec.fr <http://www.sitec.fr/>
>
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
