security/openssh-portable

2008-03-11 Thread Philip M. Gollucci 

Hi,

I'm setting up a 'chrooted' SFTP only set of users:

/etc/make.conf:
.if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
  WITH_SUID_SSH =yes
  WITH_OPENSSH_CHROOT   =yes
  WITH_HPN  =yes
  WITH_OVERWRITE_BASE   =yes
.endif

/etc/rc.conf:
sshd_enable=NO
openssh_enable=YES

/etc/passwd:
user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh

Access will be with ssh dsa keys only.

What is the best way to make this SFTP only and not SSH?
1).ssh/authorization?
2) change user's shell to /usr/local/libexec/sftp-server
3) change user's shell to a custom C wrapper around [2]
4) a combination of them





--

Philip M. Gollucci ([EMAIL PROTECTED])
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: security/openssh-portable

2008-03-11 Thread Jerry McAllister 
On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci wrote:

 Hi,
 
 I'm setting up a 'chrooted' SFTP only set of users:
 
 /etc/make.conf:
 .if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
   WITH_SUID_SSH =yes
   WITH_OPENSSH_CHROOT   =yes
   WITH_HPN  =yes
   WITH_OVERWRITE_BASE =yes
 .endif
 
 /etc/rc.conf:
 sshd_enable=NO
 openssh_enable=YES
 
 /etc/passwd:
 user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh
 
 Access will be with ssh dsa keys only.
 
 What is the best way to make this SFTP only and not SSH?
 1).ssh/authorization?
 2) change user's shell to /usr/local/libexec/sftp-server
 3) change user's shell to a custom C wrapper around [2]
 4) a combination of them

The usual thing is make the shell   /bin/nologin

jerry

 
 -- 
 
 Philip M. Gollucci ([EMAIL PROTECTED])
 o:703.549.2050x206
 Senior System Admin - Riderway, Inc.
 http://riderway.com / http://ridecharge.com
 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF
 
 Work like you don't need the money,
 love like you'll never get hurt,
 and dance like nobody's watching.
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: security/openssh-portable

2008-03-11 Thread Philip M. Gollucci 

user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh

The usual thing is make the shell   /bin/nologin

Hi Jerry, Thanks -- but
Changed to /usr/sbin/nologin

So thats not in the 'chroot' aka /foo/user/usr/sbin/nologin

$ sftp -v -v -v [EMAIL PROTECTED]
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007
debug1: Remote protocol version 1.99, remote software version 
OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1
debug1: match: OpenSSH_4.7p1-hpn12v20 
FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat OpenSSH*


debug2: channel 0: open confirm rwindow 0 rmax 32768
Request for subsystem 'sftp' failed on channel 0


--

Philip M. Gollucci ([EMAIL PROTECTED])
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: security/openssh-portable

2008-03-11 Thread Jerry McAllister 
On Tue, Mar 11, 2008 at 06:26:51PM -0400, Philip M. Gollucci wrote:

 user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh
 The usual thing is make the shell   /bin/nologin
 Hi Jerry, Thanks -- but
 Changed to /usr/sbin/nologin
 
 So thats not in the 'chroot' aka /foo/user/usr/sbin/nologin

Well, you can  make your own nologin.
Just copy the other one and make it only executable - not writable.

jerry

 $ sftp -v -v -v [EMAIL PROTECTED]
 OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007
 debug1: Remote protocol version 1.99, remote software version 
 OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1
 debug1: match: OpenSSH_4.7p1-hpn12v20 
 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat OpenSSH*
 
 debug2: channel 0: open confirm rwindow 0 rmax 32768
 Request for subsystem 'sftp' failed on channel 0
 
 
 -- 
 
 Philip M. Gollucci ([EMAIL PROTECTED])
 o:703.549.2050x206
 Senior System Admin - Riderway, Inc.
 http://riderway.com / http://ridecharge.com
 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF
 
 Work like you don't need the money,
 love like you'll never get hurt,
 and dance like nobody's watching.
 
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]