Limitting SSH access
I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... Thanks for your time Jack Raats ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
On 04/05/2011 10:08, Jack Raats wrote: I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... I believe you will need to install a version of OpenSSH from ports to get that functionality. It's the CHROOT config option in security/openssh-portable Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Limitting SSH access
On 4 May 2011 13:35, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 04/05/2011 10:08, Jack Raats wrote: I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... I believe you will need to install a version of OpenSSH from ports to get that functionality. It's the CHROOT config option in security/openssh-portable Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hello, It should work with the base openssh on 7.4. Check your version with sshd -v. Here, search for chroot(or use google :)): http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 Regarding ssh login, I usually use rbash from the ports, that restricts the user from leaving his or her home directory! Regards, Balazs Mateffy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
Jack Raats j...@jarasoft.net writes: Hello, I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Don't know sshd version in 7.4-STABLE, but if higher or equal to 4.8, the following link could help : http://www.debian-administration.org/articles/590 Regards Éric Masson -- C'est pas un pingouin mais une hirondelle africaine et sa noix de coco Maintenant que vous le dîtes, c'est fort possible, Roland Courbis a des faux airs de John Cleese, mais en plus petit. -+- fct inwww.le-gnu.net : Une hirondelle ne fait pas le pingouin-+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
On 4 May 2011 12:47, Balázs Mátéffy repcs...@gmail.com wrote: On 4 May 2011 13:35, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 04/05/2011 10:08, Jack Raats wrote: I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... I believe you will need to install a version of OpenSSH from ports to get that functionality. It's the CHROOT config option in security/openssh-portable Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hello, It should work with the base openssh on 7.4. Check your version with sshd -v. Here, search for chroot(or use google :)): http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 Regarding ssh login, I usually use rbash from the ports, that restricts the user from leaving his or her home directory! Regards, Balazs Mateffy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org if you want them to be able to get a shell ether then sftp prompt then you will have to go for the rbash option. If you chroot the shell to their home dir they wont have access to any system binaries so wont be able to 'ls' for example. Having said that you could build a tree of all the binaries they need along with all the dependent libraries. This would get a bit cumbersome and wasteful of disk space for lots of users though. You might be better off with jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
On 4 May 2011 16:27, krad kra...@gmail.com wrote: On 4 May 2011 12:47, Balázs Mátéffy repcs...@gmail.com wrote: On 4 May 2011 13:35, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 04/05/2011 10:08, Jack Raats wrote: I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... I believe you will need to install a version of OpenSSH from ports to get that functionality. It's the CHROOT config option in security/openssh-portable Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hello, It should work with the base openssh on 7.4. Check your version with sshd -v. Here, search for chroot(or use google :)): http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 Regarding ssh login, I usually use rbash from the ports, that restricts the user from leaving his or her home directory! Regards, Balazs Mateffy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org if you want them to be able to get a shell ether then sftp prompt then you will have to go for the rbash option. If you chroot the shell to their home dir they wont have access to any system binaries so wont be able to 'ls' for example. Having said that you could build a tree of all the binaries they need along with all the dependent libraries. This would get a bit cumbersome and wasteful of disk space for lots of users though. You might be better off with jails. Or you could have a special /bin-restricted that you nullfs mount into ~userN/bin. Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
Wake me up when September ends, freebsd-questions! 2011/05/04 16:47:33 +0100 Chris Rees utis...@gmail.com = To krad : CR Is it possible to limit the SSH access? CR Regarding ssh login, I usually use rbash from the ports, that CR restricts CR Or you could have a special /bin-restricted that you nullfs mount into CR ~userN/bin. I personally should like to have a quick recipe on how to create such a limited set of binaries ( libraries, mans, etc., each mounted with nullfs read-only to every such a user's home ) from the 'world' build. Some options like the rsync I consider to be a must in some cases so this should include the ports availability, isn't it? 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
2011/5/4 Peter Vereshagin pe...@vereshagin.org: Wake me up when September ends, freebsd-questions! 2011/05/04 16:47:33 +0100 Chris Rees utis...@gmail.com = To krad : CR Is it possible to limit the SSH access? CR Regarding ssh login, I usually use rbash from the ports, that CR restricts CR Or you could have a special /bin-restricted that you nullfs mount into CR ~userN/bin. I personally should like to have a quick recipe on how to create such a limited set of binaries ( libraries, mans, etc., each mounted with nullfs read-only to every such a user's home ) from the 'world' build. Some options like the rsync I consider to be a must in some cases so this should include the ports availability, isn't it? Hehe, big can of worms here. Plenty of opportunity to break out of a chroot, as well as the fact that it's largely discredited as a security mechanism [1]. Someone mentioned Jails earlier, probably a better idea. Chris [1] http://kerneltrap.org/Linux/Abusing_chroot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org