security/openssh-portable
Hi, I'm setting up a 'chrooted' SFTP only set of users: /etc/make.conf: .if ${.CURDIR:M*/usr/ports/security/openssh-portable*} WITH_SUID_SSH =yes WITH_OPENSSH_CHROOT =yes WITH_HPN =yes WITH_OVERWRITE_BASE =yes .endif /etc/rc.conf: sshd_enable=NO openssh_enable=YES /etc/passwd: user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh Access will be with ssh dsa keys only. What is the best way to make this SFTP only and not SSH? 1).ssh/authorization? 2) change user's shell to /usr/local/libexec/sftp-server 3) change user's shell to a custom C wrapper around [2] 4) a combination of them -- Philip M. Gollucci ([EMAIL PROTECTED]) o:703.549.2050x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security/openssh-portable
On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci wrote: Hi, I'm setting up a 'chrooted' SFTP only set of users: /etc/make.conf: .if ${.CURDIR:M*/usr/ports/security/openssh-portable*} WITH_SUID_SSH =yes WITH_OPENSSH_CHROOT =yes WITH_HPN =yes WITH_OVERWRITE_BASE =yes .endif /etc/rc.conf: sshd_enable=NO openssh_enable=YES /etc/passwd: user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh Access will be with ssh dsa keys only. What is the best way to make this SFTP only and not SSH? 1).ssh/authorization? 2) change user's shell to /usr/local/libexec/sftp-server 3) change user's shell to a custom C wrapper around [2] 4) a combination of them The usual thing is make the shell /bin/nologin jerry -- Philip M. Gollucci ([EMAIL PROTECTED]) o:703.549.2050x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security/openssh-portable
user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh The usual thing is make the shell /bin/nologin Hi Jerry, Thanks -- but Changed to /usr/sbin/nologin So thats not in the 'chroot' aka /foo/user/usr/sbin/nologin $ sftp -v -v -v [EMAIL PROTECTED] OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 debug1: match: OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat OpenSSH* debug2: channel 0: open confirm rwindow 0 rmax 32768 Request for subsystem 'sftp' failed on channel 0 -- Philip M. Gollucci ([EMAIL PROTECTED]) o:703.549.2050x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security/openssh-portable
On Tue, Mar 11, 2008 at 06:26:51PM -0400, Philip M. Gollucci wrote: user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh The usual thing is make the shell /bin/nologin Hi Jerry, Thanks -- but Changed to /usr/sbin/nologin So thats not in the 'chroot' aka /foo/user/usr/sbin/nologin Well, you can make your own nologin. Just copy the other one and make it only executable - not writable. jerry $ sftp -v -v -v [EMAIL PROTECTED] OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 debug1: match: OpenSSH_4.7p1-hpn12v20 FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat OpenSSH* debug2: channel 0: open confirm rwindow 0 rmax 32768 Request for subsystem 'sftp' failed on channel 0 -- Philip M. Gollucci ([EMAIL PROTECTED]) o:703.549.2050x206 Senior System Admin - Riderway, Inc. http://riderway.com / http://ridecharge.com 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB B89E 1324 9B4F EC88 A0BF Work like you don't need the money, love like you'll never get hurt, and dance like nobody's watching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]