Hi Chaim,
When you give the full path name of the sftp-server as the user's login
shell. This way he will be able to access to the system via sftp client
only. However, he still be able to traverse the directories tree and issue
get/put commands.
If you would like to jail him, use http://chrootssh.sourceforge.net/.
You will have to compile ssh and you will need to build an environmnet for
sftp-server in the same manner you build one for ftp server (libraries, /dev
files /etc/passwd file etc).
Hope this clarifies things a bit.
Have fun.
Moshe Shemesh
Liraz-x
----- Original Message -----
From: "Moshe Shemesh" <[EMAIL PROTECTED]>
To: "Chaim Keren Tzion" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 31, 2003 1:08 PM
Subject: Re: SSH Jail
> Hi Chaim,
>
> Give the full path name of the sftp-server as the login shell for the
> user.
>
> This will prevent him from running arbitray commands.
>
> If you would like to jail him in his home directory (in the same
manner
> that regular ftp server does), look at http://chrootssh.sourceforge.net/.
> However, I think it will enforce you to build SSH package from sources
(and
> openssl ofcourse).
>
> Moshe Shemesh
> Liraz-x
>
> ----- Original Message -----
> From: "Chaim Keren Tzion" <[EMAIL PROTECTED]>
> To: "Moshe Shemesh" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Thursday, July 31, 2003 12:39 PM
> Subject: Re: SSH Jail
>
>
> >
> > I am intending that sftp will be used for the file transfer. The problem
> > is that once I create the account that will use sftp it automatically
has
> > the ability to log in with ssh and wander around the system. I would
like
> > to limit the users ability to travel ouside of the home directoy and to
> > execute commands. I have tried to define the user with /dev/false as
it's
> > shell but then I can't log in.
> >
> > On Thu, 31 Jul 2003, Moshe Shemesh wrote:
> >
> > > Hi Chaim,
> > >
> > > Did you consider using sftp-server ? It's ftp server running on
top
> of
> > > SSH. you will need sftp clint to access it.
> > >
> > > Moshe Shemesh
> > > Liraz-x
> > >
> > >
> > > ----- Original Message -----
> > > From: "Chaim Keren Tzion" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Thursday, July 31, 2003 11:57 AM
> > > Subject: SSH Jail
> > >
> > >
> > > > Shalom,
> > > >
> > > > I need to set up an FTP server or an account that will use SSH for a
> user
> > > > outside of our organization that needs to send us data. They haven't
> been
> > > > able to successfully set one up on their end. I would like to avoid
> > > > setting up and FTP server because of the security issues but I am
also
> > > > concerned about setting up an account that they can access via SSH
> because
> > > > they will log in as a regular user and have lots of rights. Is there
a
> > > > good way to create a jail and otherwise limit an account that will
be
> > > > accessed via SSH? They need the account only for data transfer.
> > > >
> > > >
> > > > --
> > > >
> > > > Chaim Keren Tzion | [EMAIL PROTECTED]
> > > > System Administrator | The Hebrew University of Jerusalem
> > > > Dept. of Neurobiology | Tel: 972-2-658-5083
> > > > Inst. of Life Science | Cel: 972-54-652983
> > > > Jerusalem 91904, Israel | Fax: 972-2-658-6296
> > > > ...................... | ............................
> > > >
> > > >
> > > >
> > > > =================================================================
> > > > To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > the word "unsubscribe" in the message body, e.g., run the command
> > > > echo unsubscribe | mail [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> >
> > --
> >
> > Chaim Keren Tzion | [EMAIL PROTECTED]
> > System Administrator | The Hebrew University of Jerusalem
> > Dept. of Neurobiology | Tel: 972-2-658-5083
> > Inst. of Life Science | Cel: 972-54-652983
> > Jerusalem 91904, Israel | Fax: 972-2-658-6296
> > ....................... | ............................
> >
> >
>
>
> =================================================================
> To unsubscribe, send mail to [EMAIL PROTECTED] with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail [EMAIL PROTECTED]
>
>
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
