Re: chroot sftp users

Sun, 28 Feb 2010 21:03:52 -0800 

On Mon, Mar 1, 2010 at 5:27 PM, Glenn Cogle <[email protected]> wrote:
> My server is debian 3.1, openssh 3.8.1p1 & vsftpd 2.0.3 - not exactly
> cutting edge, but it works.
>
> (4) build a new server with later OS + ssh

Well, a Debian 3.1 server is very old. Debian have just dropped
security support for 4. I'd recommend an upgrade on general
principals.

Also, do your file-transferring users have to be real system users in
any other sense? If the only reason they have a 'home' directory is to
transfer files into, that's a lot you don't have to worry about. Gove
them rssh and restrict them to sftp ...

passwd:
username:x:1005:33:SFTP access to username:/SFTP-CHROOTusername:/usr/bin/rssh

Files:
drwxr-xr-x 2 root       root 4096 2006-10-28 03:39 etc
drwxr-xr-x 4 username root 4096 2006-11-06 09:22 website
drwxr-xr-x 2 root       root 4096 2006-11-06 09:12 lib
drwxr-xr-x 4 root       root 4096 2006-11-06 08:19 usr

$ tree etc lib usr
etc
`-- passwd
lib
|-- ld-2.3.6.so
|-- ld-linux.so.2 -> ld-2.3.6.so
|-- libc-2.3.6.so
|-- libc.so.6 -> libc-2.3.6.so
|-- libcom_err.so.2 -> libcom_err.so.2.1
|-- libcom_err.so.2.1
|-- libcrypt-2.3.6.so
|-- libcrypt.so.1 -> libcrypt-2.3.6.so
|-- libdl-2.3.6.so
|-- libdl.so.2 -> libdl-2.3.6.so
|-- libnsl-2.3.6.so
|-- libnsl.so.1 -> libnsl-2.3.6.so
|-- libresolv-2.3.6.so
|-- libresolv.so.2 -> libresolv-2.3.6.so
|-- libselinux.so.1
|-- libsepol.so.1
|-- libutil-2.3.6.so
`-- libutil.so.1 -> libutil-2.3.6.so
usr
|-- bin
|   `-- rssh
`-- lib
    |-- i686
    |   `-- cmov
    |       `-- libcrypto.so.0.9.8
    |-- libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2
    |-- libgssapi_krb5.so.2.2
    |-- libk5crypto.so.3 -> libk5crypto.so.3.0
    |-- libk5crypto.so.3.0
    |-- libkrb5.so.3 -> libkrb5.so.3.2
    |-- libkrb5.so.3.2
    |-- libkrb5support.so.0 -> libkrb5support.so.0.0
    |-- libkrb5support.so.0.0
    |-- libz.so.1 -> libz.so.1.2.3
    |-- libz.so.1.2.3
    |-- openssh
    |   `-- sftp-server
    |-- rssh
    |   `-- rssh_chroot_helper
    `-- sftp-server -> openssh/sftp-server

You could hardlink the usr and lib directories from an sftp-chroot
template, then just give each user a unique etc/passwd and you're on
your way ...

-jim

Reply via email to