Re: Solved? permissions, httpd with sftp chroot directory
On Wed, Sep 19, 2018 at 02:59:42PM -0700, Chris Bennett wrote: > OK, I think I have this right now > > Files in /etc/mtree show proper owner:group mode everywhere. > Files inside of httpd chroot have same as outside. > Added an sftp chroot directory inside of httpd chroot for external user. > Thus they can upload and download, but do the work elsewhere. Nologin. > Right now, these directories for individual websites have ownership > of root:daemon, is that correct? > Seems to be all OK, except that I had to create a subdir in order to get everything right with sftp chroot. I'm OK with that. I'll look through the threads I didn't read but saw to learn more. :-) Chris Bennett
Solved? permissions, httpd with sftp chroot directory
OK, I think I have this right now Files in /etc/mtree show proper owner:group mode everywhere. Files inside of httpd chroot have same as outside. Added an sftp chroot directory inside of httpd chroot for external user. Thus they can upload and download, but do the work elsewhere. Nologin. Right now, these directories for individual websites have ownership of root:daemon, is that correct? Thanks, Chris Bennett
Re: sftp chroot
thanks for the info, the read only would be rw but it's at least worth looking at even its hackish :-P But I also figured, since I dont need a shell for these users I can simply force them in a sftp chroot somewere else but this is something I have to refine more though on my testmachine I have a kinda weird setup right now: - normal system user with home in /home/username - forced in a chroot with sshd_config somewere in /var/www/htdocs/chrootdir I have to wait an see if this is a solution to go with but then again as long as it does what it is supose to do I'm okay with it. So lets wait for the crybabies to complain about all the things they can't do without asking for permission first. Regards MArkus Am 14.06.2017 um 20:53 schrieb Ville Valkonen: On 14 June 2017 at 11:33, Markus Rosjat <ros...@ghweb.de> wrote: Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT Hi, here's the NFS solution you were after: $ grep 127.0.0.1 /etc/exports /home/store/music -ro -mapall=extuser1 127.0.0.1 /home/store/not_sorted -ro -mapall=extuser1 127.0.0.1 and chroot /home/$user as usual. Now the extuser1 has an read only access to certain shares. Hackish? Definitely. Use at your own risk. -- Regards, Ville -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
On 14 June 2017 at 11:33, Markus Rosjatwrote: > Hi there, > > I want to build an sftp environment where the user is chrooted to his home > dir. So far so good but then again the user might need access to a webserver > resource like /var/www/htdocs/some_dir > > As far as I understand a symlink doesnt work in the chroot setup and Im not > quiet sure how to achieve this. > > I could simply make /var/www/htdocs/some_dir the home dir of the user but Im > not sure if this is the recommended way. > > so once again adivce is helpful :) > > regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT > Hi, here's the NFS solution you were after: $ grep 127.0.0.1 /etc/exports /home/store/music -ro -mapall=extuser1 127.0.0.1 /home/store/not_sorted -ro -mapall=extuser1 127.0.0.1 and chroot /home/$user as usual. Now the extuser1 has an read only access to certain shares. Hackish? Definitely. Use at your own risk. -- Regards, Ville
Re: sftp chroot
Have a look at the book https://www.michaelwlucas.com/tools/relayd Chapter 7 addresses this exact scenario On Wed, Jun 14, 2017 at 3:33 AM, Markus Rosjatwrote: > Hi there, > > I want to build an sftp environment where the user is chrooted to his home > dir. So far so good but then again the user might need access to a > webserver resource like /var/www/htdocs/some_dir > > As far as I understand a symlink doesnt work in the chroot setup and Im > not quiet sure how to achieve this. > > I could simply make /var/www/htdocs/some_dir the home dir of the user but > Im not sure if this is the recommended way. > > so once again adivce is helpful :) > > regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT > >
Re: sftp chroot
Am 14.06.2017 um 16:31 schrieb Chris M: Some hosts chroot users into a specific web dir because they have multiple vhosts on the same server, and they dont want all sftp or ssh users to be able to browse into other vhosts, even to look around. They might also want to give developers access to specific subdirs without seeing the entire vhost root. Yes this is the aim here, the user has no shell at all. He gets access to the webcontent folder only. I am running SFTP-only chroot file exchange server where a very small group of users have the access to the same chroot without full shell access for the purpose of sharing/exchanging data. I want to seperate every user, no peaking up the ladder :) I could imagine situation in which it is desirable to give users chrooted SFTP-only access to their web data. It seems to me that one could create virtual host per user and give them sftp-only access to the root directory of their virtual server. they will all get virtual hosts in httpd and get there sftp root set to the root of the virtual host. Somebody help me. What would be other good use case scenarios for chrooted sftp-only user access? Annoying colleagues without a wheel :-p ... just kinding regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Some hosts chroot users into a specific web dir because they have multiple vhosts on the same server, and they dont want all sftp or ssh users to be able to browse into other vhosts, even to look around. They might also want to give developers access to specific subdirs without seeing the entire vhost root. On Wed, Jun 14, 2017 at 9:22 AM Predrag Punosevacwrote: > Markus Rosjat wrote: > > > Am 14.06.2017 um 13:42 schrieb Jiri B: > > > On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: > > >> Je 2017-06-14 13:02, Bryan Harris skribis: > > >>> On Linux I have mounted another fs inside the user's home folder (it > > is > > >>> mounted twice). I don't know if OpenBSD has that feature. > > >>> > > >> > > >> This is not possible on OpenBSD, mount will tell "device is busy". > > >> > > >> On linux you should use mount --bind to bind a folder on another > > instead > > >> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do > > exactly > > >> the same thing as --bind, but OpenBSD doesn't have any of this. > > > > > > Do you build a shell server or you just want to give SFTP access > > > to users' web data? > > > > > > If the latter, why don't you just chroot them directly into their > > > user dir inside web root? Or, just define their home to be inside > > > web chroot... > > > > > > j. > > > > > > > like I stated bevor I know I can simply give them there webcontent > > folder as home and chroot this for sftp but then again how to handle the > > > > I am with Jiri on this one. You completely lost me. What problem are you > trying to solve? > > I am running SFTP-only chroot file exchange server where a very small > group of users have the access to the same chroot without full shell > access for the purpose of sharing/exchanging data. > > I could imagine situation in which it is desirable to give users > chrooted SFTP-only access to their web data. It seems to me that one > could create virtual host per user and give them sftp-only access to the > root directory of their virtual server. > > Somebody help me. What would be other good use case scenarios for > chrooted sftp-only user access? > > Best, > Predrag > > > > > > .ssh or other . folders and files? I read somthing about placing it > > outside the home dir and define the location over sshd_config but not > > sure if this is proper solution. > > -- There's no place like 127.0.0.1
Re: sftp chroot
Markus Rosjat wrote: > Am 14.06.2017 um 13:42 schrieb Jiri B: > > On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: > >> Je 2017-06-14 13:02, Bryan Harris skribis: > >>> On Linux I have mounted another fs inside the user's home folder (it > is > >>> mounted twice). I don't know if OpenBSD has that feature. > >>> > >> > >> This is not possible on OpenBSD, mount will tell "device is busy". > >> > >> On linux you should use mount --bind to bind a folder on another > instead > >> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do > exactly > >> the same thing as --bind, but OpenBSD doesn't have any of this. > > > > Do you build a shell server or you just want to give SFTP access > > to users' web data? > > > > If the latter, why don't you just chroot them directly into their > > user dir inside web root? Or, just define their home to be inside > > web chroot... > > > > j. > > > > like I stated bevor I know I can simply give them there webcontent > folder as home and chroot this for sftp but then again how to handle the > I am with Jiri on this one. You completely lost me. What problem are you trying to solve? I am running SFTP-only chroot file exchange server where a very small group of users have the access to the same chroot without full shell access for the purpose of sharing/exchanging data. I could imagine situation in which it is desirable to give users chrooted SFTP-only access to their web data. It seems to me that one could create virtual host per user and give them sftp-only access to the root directory of their virtual server. Somebody help me. What would be other good use case scenarios for chrooted sftp-only user access? Best, Predrag > .ssh or other . folders and files? I read somthing about placing it > outside the home dir and define the location over sshd_config but not > sure if this is proper solution.
Re: sftp chroot
You could do it like this: Say you have /www/sites/, make a subdir /files/html, and another for /html which is a symlink to files/html: /www/sites/www.somedomain.com /www/sites/www.somedomain.com/files/html /www/sites/www.somedomain.com/html -> files/html Mount /www/sites/www.somedomain.com to /home/ Point document root for that domain/vhost to /www/sites/somedomain.com/html. Graceful restart apache. If you only want the chroot user to have access to a subdir inside of html, then just mount the subdir to their home folder On Wed, Jun 14, 2017 at 9:06 AM Markus Rosjatwrote: > > > Am 14.06.2017 um 15:53 schrieb Markus Rosjat: > > > > > > Am 14.06.2017 um 13:42 schrieb Jiri B: > >> On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: > >>> Je 2017-06-14 13:02, Bryan Harris skribis: > On Linux I have mounted another fs inside the user's home folder (it > is > mounted twice). I don't know if OpenBSD has that feature. > > >>> > >>> This is not possible on OpenBSD, mount will tell "device is busy". > >>> > >>> On linux you should use mount --bind to bind a folder on another > instead > >>> of mounting twice the mountpoint. FreeBSD has mount_nullfs to do > exactly > >>> the same thing as --bind, but OpenBSD doesn't have any of this. > >> > >> Do you build a shell server or you just want to give SFTP access > >> to users' web data? > >> > >> If the latter, why don't you just chroot them directly into their > >> user dir inside web root? Or, just define their home to be inside > >> web chroot... > >> > >> j. > >> > > > > like I stated bevor I know I can simply give them there webcontent > > folder as home and chroot this for sftp but then again how to handle the > > .ssh or other . folders and files? I read somthing about placing it > > outside the home dir and define the location over sshd_config but not > > sure if this is proper solution. > > > > > > okay I tried to set the chroot in the sshd_config to the www dir of the > user and it seems to work so far. Since this is a dev machine it's okay > for now. So there is still time to sort out the kinks > -- > Markus Rosjatfon: +49 351 8107223 <+49%20351%208107223>mail: > ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 <+49%20351%208107220> fax: +49 351 8107227 > <+49%20351%208107227> > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT > > -- There's no place like 127.0.0.1
Re: sftp chroot
Am 14.06.2017 um 15:53 schrieb Markus Rosjat: Am 14.06.2017 um 13:42 schrieb Jiri B: On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: Je 2017-06-14 13:02, Bryan Harris skribis: On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. This is not possible on OpenBSD, mount will tell "device is busy". On linux you should use mount --bind to bind a folder on another instead of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly the same thing as --bind, but OpenBSD doesn't have any of this. Do you build a shell server or you just want to give SFTP access to users' web data? If the latter, why don't you just chroot them directly into their user dir inside web root? Or, just define their home to be inside web chroot... j. like I stated bevor I know I can simply give them there webcontent folder as home and chroot this for sftp but then again how to handle the .ssh or other . folders and files? I read somthing about placing it outside the home dir and define the location over sshd_config but not sure if this is proper solution. okay I tried to set the chroot in the sshd_config to the www dir of the user and it seems to work so far. Since this is a dev machine it's okay for now. So there is still time to sort out the kinks -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Am 14.06.2017 um 13:42 schrieb Jiri B: On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: Je 2017-06-14 13:02, Bryan Harris skribis: On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. This is not possible on OpenBSD, mount will tell "device is busy". On linux you should use mount --bind to bind a folder on another instead of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly the same thing as --bind, but OpenBSD doesn't have any of this. Do you build a shell server or you just want to give SFTP access to users' web data? If the latter, why don't you just chroot them directly into their user dir inside web root? Or, just define their home to be inside web chroot... j. like I stated bevor I know I can simply give them there webcontent folder as home and chroot this for sftp but then again how to handle the .ssh or other . folders and files? I read somthing about placing it outside the home dir and define the location over sshd_config but not sure if this is proper solution. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: > Je 2017-06-14 13:02, Bryan Harris skribis: > >On Linux I have mounted another fs inside the user's home folder (it is > >mounted twice). I don't know if OpenBSD has that feature. > > > > This is not possible on OpenBSD, mount will tell "device is busy". > > On linux you should use mount --bind to bind a folder on another instead > of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly > the same thing as --bind, but OpenBSD doesn't have any of this. Do you build a shell server or you just want to give SFTP access to users' web data? If the latter, why don't you just chroot them directly into their user dir inside web root? Or, just define their home to be inside web chroot... j.
Re: sftp chroot
Je 2017-06-14 13:02, Bryan Harris skribis: On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. This is not possible on OpenBSD, mount will tell "device is busy". On linux you should use mount --bind to bind a folder on another instead of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly the same thing as --bind, but OpenBSD doesn't have any of this.
Re: sftp chroot
On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. On Wed, Jun 14, 2017 at 6:38 AM, Ville Valkonenwrote: > Hi, > > one option is to use local nfs mounts. That's what I've done. > > -- > Regards, > Ville > > > On Jun 14, 2017 11:34 AM, "Markus Rosjat" wrote: > > Hi there, > > I want to build an sftp environment where the user is chrooted to his home > dir. So far so good but then again the user might need access to a > webserver resource like /var/www/htdocs/some_dir > > As far as I understand a symlink doesnt work in the chroot setup and Im not > quiet sure how to achieve this. > > I could simply make /var/www/htdocs/some_dir the home dir of the user but > Im not sure if this is the recommended way. > > so once again adivce is helpful :) > > regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before > you print it, think about your responsibility and commitment to the > ENVIRONMENT >
Re: sftp chroot
Hi, one option is to use local nfs mounts. That's what I've done. -- Regards, Ville On Jun 14, 2017 11:34 AM, "Markus Rosjat"wrote: Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Je 2017-06-14 10:33, Markus Rosjat skribis: Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards hello you can change the home user folder to one in /var/www/htdocs/ or if the home user in the same mountpoint as /var/www you could do a hard link folder with ln.
sftp chroot
Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
sftp chroot does'nt pass the login
Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? Thanks
Re: sftp chroot does'nt pass the login
On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote: Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? $ grep web /etc/group $ grep www /etc/group www:*:67: $ Thanks
Re: sftp chroot does'nt pass the login
Le dimanche 30 mai 2010 17:39:36, Bret S. Lambert a icrit : On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote: Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? $ grep web /etc/group $ grep www /etc/group www:*:67: $ web is a group and also a user in my OS. # grep web /etc/group wheel:*:0:root,admin,web web:*:1001:web
Re: sftp chroot ?
On 2009-02-23, Michael W. Lucas mwlu...@blackhelicopters.org wrote: On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote: Hello, If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? Don't scp or SSH in as root. Use a regular account and sudo, or at least the root password. Oh, I do that all the time. I don't see a problem with it. For some things there is no feasible alternative.
Re: sftp chroot ?
On Mon, Feb 23, 2009 at 07:33:23PM +0100, jfsimon1...@gmail.com wrote: If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? - Is it possible to chrrot only some users ? What man page is not clear? -- Olivier Cherrier
Re: sftp chroot ?
Dnia poniedziaEek, 23 lutego 2009, Nigel J. Taylor napisaE: ChrootDirectory %h Subsystem sftpinternal-sftp Match group wheel ChrootDirectory none Or the other way around. Subsystem sftp internal-sftp Match User john paul ChrootDirectory /chroot/%u -- Pozdrawiam, Cezary Morga The best way to predict the future is to invent it. (Alan Kay)
Re: sftp chroot ?
Hi Jean-Francois Attach a little example, hope that helps The user archivos only have access to /var/www/domains/home/ archivos/public_html $ cat /etc/ssh/sshd_config Port 22 Protocol 2 SyslogFacility AUTH LogLevel INFO PermitRootLogin no Subsystem sftp internal-sftp Match group chrootusers ForceCommand internal-sftp ChrootDirectory /var/www/domains/home/%u $ ls -lh total 84 drwxr-xr-x 3 root chrootusers 512B Feb 13 19:23 archivos $ ls -lh archivos total 4 drwxr-xr-x 3 archivos chrootusers 512B Feb 18 14:24 public_html See the permissions. Bye -- Beto www.compumundohypermegared.org 2009/2/23 Jean-Francois jfsimon1...@gmail.com Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF -- Beto www.compumundohypermegared.org
sftp chroot ?
Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF
Re: sftp chroot ?
On Mon, Feb 23, 2009 at 06:19:07PM +0100, Jean-Francois wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? http://lmgtfy.com/?q=sftp+chroot+openbsd
Re: sftp chroot ?
See sshd_config(5) and search for ChrootDirectory. Floor On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF
Re: sftp chroot ?
Hello, If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? - Is it possible to chrrot only some users ? I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Line to be changed in sshd_config : #ChrootDirectory none Thanks JF Le lundi 23 fC)vrier 2009 C 19:07 +0100, Floor Terra a C)crit : See sshd_config(5) and search for ChrootDirectory. Floor On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF
Re: sftp chroot ?
That was the funniest thing I have ever seen. On Mon, Feb 23, 2009 at 11:45 AM, Mike Erdely m...@erdelynet.com wrote: On Mon, Feb 23, 2009 at 06:19:07PM +0100, Jean-Francois wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? http://lmgtfy.com/?q=sftp+chroot+openbsd -- /\ASCII Ribbon Campaign \ /Respect for low technology. X Keep e-mail messages readable by any computer system. / \Keep it ASCII.
Re: sftp chroot ?
On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote: Hello, If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? Don't scp or SSH in as root. Use a regular account and sudo, or at least the root password. - Is it possible to chrrot only some users ? I don't believe so. You could look at scponly, it can chroot users. It's an add-on shell, not in ports, has not been audited by OpenBSD, etc. YMMV. I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Run a separate sshd instance on a different port, with -p. Test the changes there. ==ml Line to be changed in sshd_config : #ChrootDirectory none Thanks JF Le lundi 23 fC)vrier 2009 C 19:07 +0100, Floor Terra a C)crit : See sshd_config(5) and search for ChrootDirectory. Floor On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF -- Michael W. Lucasmwlu...@blackhelicopters.org, mwlu...@freebsd.org http://www.BlackHelicopters.org/~mwlucas/ My pessimism extends to the point of even suspecting the sincerity of the pessimists. -- Jean Rostand, French biologist and philosopher
Re: sftp chroot ?
On Mon, Feb 23, 2009 at 04:21:01PM -0500, Michael W. Lucas wrote: On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote: - Is it possible to chrrot only some users ? I don't believe so. You could look at scponly, it can chroot users. It's an add-on shell, not in ports, has not been audited by OpenBSD, etc. YMMV. I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Run a separate sshd instance on a different port, with -p. Test the changes there. Ugh. Bad advice. Please see sshd_config(5) and http://undeadly.org/cgi?action=articlesid=20080220110039 -ME
Re: sftp chroot ?
Hi, You might try a looking at Match in the sshd_config man pages, ChrootDirectory. Something like this in sshd_config, home directories must be root owned if chrooted. This is in Openssh v5.1, not sure when it was introduced. ChrootDirectory %h Subsystem sftpinternal-sftp Match group wheel ChrootDirectory none This defaults to chroot to the home directory, unless users are in the group wheel, you can do this the other way around default is not to chroot, users in a specific group are chrooted. Regards Nigel Taylor Jean-Francois wrote: Hello, If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? - Is it possible to chrrot only some users ? I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Line to be changed in sshd_config : #ChrootDirectory none Thanks JF Le lundi 23 fC)vrier 2009 C 19:07 +0100, Floor Terra a C)crit : See sshd_config(5) and search for ChrootDirectory. Floor On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF
Re: sftp chroot ?
On Mon, 23 Feb 2009 14:17:57 -0600 patric conant mirage.comput...@gmail.com wrote: That was the funniest thing I have ever seen. Funny, at least. :) -- Maxime DERCHE GnuPG public key ID : 0x9A85C4C0 (fingerprint : 0FDC 16AF 5A5B 1908 786C 2B85 2D3C C83E 9A85 C4C0) http://www.mouet-mouet.net/maxime/blog/index.php
Re: sftp chroot ?
Hi, yes it's possible to chroot only some useee, see match user in sshd_config Le Mon, 23 Feb 2009 19:33:23 +0100, Jean-Francois jfsimon1...@gmail.com a C)crit : Hello, If I understand this will chroot any user. Am I correct ? - Is root chrroted as well ? - Is it possible to chrrot only some users ? I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Line to be changed in sshd_config : #ChrootDirectory none Thanks JF Le lundi 23 fC)vrier 2009 C 19:07 +0100, Floor Terra a C)crit : See sshd_config(5) and search for ChrootDirectory. Floor On Feb 23, 2009 6:24 PM, Jean-Francois jfsimon1...@gmail.com wrote: Hi All, As far as I understand, the sftp service is always running since it is the ssh daemon (maybe one can correct me if I'm wrong). Hence I need to chroot some users to specific directories. I prefer not to use vsftp at present time if this feature is available with sftp of OpenBSD. One can help me ? Thank you; JF -- Julien Cabillot - SdV Plurimedia
Re: sftp chroot ?
On Mon, Feb 23, 2009 at 05:20:17PM -0500, Mike Erdely wrote: On Mon, Feb 23, 2009 at 04:21:01PM -0500, Michael W. Lucas wrote: On Mon, Feb 23, 2009 at 07:33:23PM +0100, Jean-Francois wrote: - Is it possible to chrrot only some users ? I don't believe so. You could look at scponly, it can chroot users. It's an add-on shell, not in ports, has not been audited by OpenBSD, etc. YMMV. I am afraid that is I do this then all users will be chrooted and I won't be able to turn this back since I will not have access to /etc. Run a separate sshd instance on a different port, with -p. Test the changes there. Ugh. Bad advice. Please see sshd_config(5) and http://undeadly.org/cgi?action=articlesid=20080220110039 -ME Yep, definitely better way to chroot. But I still suggest running sshd on an off port to test changes if you're concerned about locking yourself out. ==ml -- Michael W. Lucasmwlu...@blackhelicopters.org, mwlu...@freebsd.org http://www.BlackHelicopters.org/~mwlucas/ My pessimism extends to the point of even suspecting the sincerity of the pessimists. -- Jean Rostand, French biologist and philosopher
SSH, SFTP, chroot and no login shells
Hi all, I've been googling around for a couple of days now, and there is little consensus on how to solve the 'sftp no shell access' problem. I've found references to people that are using patched versions of OpenSSH (a solution I think begs for problems to occur) to facilitate chroot-ing users at login, restricted shells (to prevent users doing certain things like changing directories etc), and chrooting a user to their home dir using a chroot-ed shell. The most straight forward solution seems to be offered by this link : http://turquoise.thing.dk/#create_chroot_home However I'm still a little concerned that I don't necessarily have the right solution to this problem. So here's the problem (I have trawled the misc@ list archives and recognise people have put forward this problem before, but I haven't seen a definite solution appear - or at least not one I feel happy with). I want to be able to provide sftp access to users, these users are not anonymous - they will have accounts that I create for them. However I don't want them to be able to get outside their home dirs (as with chroot-ed ftp), and I don't want them to have 'shells' (ie. I don't want them to be able to log in over ssh, or if they must, they must be chroot-ed to their home dir). Cheers for any help, Dave