From owner-freebsd-questions@FreeBSD.ORG  Mon Dec 28 09:28:55 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CC5AD1065698
	for <freebsd-questions@freebsd.org>;
	Mon, 28 Dec 2009 09:28:55 +0000 (UTC)
	(envelope-from tijl@coosemans.org)
Received: from mailrelay010.isp.belgacom.be (mailrelay010.isp.belgacom.be
	[195.238.6.177])
	by mx1.freebsd.org (Postfix) with ESMTP id 6BE8D8FC13
	for <freebsd-questions@freebsd.org>;
	Mon, 28 Dec 2009 09:28:55 +0000 (UTC)
X-Belgacom-Dynamic: yes
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj0FAKIJOEtR9SEI/2dsb2JhbACBSdAghDME
Received: from 8.33-245-81.adsl-dyn.isp.belgacom.be (HELO
	kalimero.tijl.coosemans.org) ([81.245.33.8])
	by relay.skynet.be with ESMTP; 28 Dec 2009 10:28:48 +0100
Received: from kalimero.tijl.coosemans.org (kalimero.tijl.coosemans.org
	[127.0.0.1])
	by kalimero.tijl.coosemans.org (8.14.3/8.14.3) with ESMTP id
	nBS9Sl8d002158; Mon, 28 Dec 2009 10:28:47 +0100 (CET)
	(envelope-from tijl@coosemans.org)
From: Tijl Coosemans <tijl@coosemans.org>
To: freebsd-questions@freebsd.org
Date: Mon, 28 Dec 2009 10:28:46 +0100
User-Agent: KMail/1.9.10
References: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl>
	<d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com>
In-Reply-To: <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200912281028.47462.tijl@coosemans.org>
Cc: krad <kraduk@googlemail.com>, Marwan Sultan <dead_line@hotmail.com>
Subject: Re: chroot SSH users.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2009 09:28:55 -0000

On Sunday 27 December 2009 18:16:47 krad wrote:
> fairly easy if you read the man page 8) I wrote this howto for sun
> boxes at work but it was using openssh so same rules should apply.
> Make sure chroot support was compiled in though
> 
>    1. Dont bother with sun ssh it wont work. Opensolaris and later solaris
>    10 are bundled with openssh though.
>    2. Make sure openssh version is 5 or above (some 4s do work but 5 better)
>    3. Add these lines to sshd config
> 
>    Match Group sftponly
>             ChrootDirectory /home/chroot/%u
>             X11Forwarding no
>             AllowTcpForwarding no
>             ForceCommand internal-sftp
> 
>     4. Make sure the Subsystem line is this
> 
>    Subsystem       sftp    internal-sftp
> 
>     5. create the sftponly group on the system
>    6. put the relevent users in this group. be careful as you will stop them
>    being able to ssh in!!
>    7. Dead important this bit !!!
> 
>    mkdir -p /home/chroot/<user>/home/<user>/.ssh
>    chown -R root /home/chroot/<user>
>    chown -R <user> /home/chroot/<user>

Shouldn't this line be:
   chown -R <user> /home/chroot/<user>/home/<user>

>    chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user>
>    ln -s /home/chroot/<user>/home/<user> /home/.
> 
>     8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh
> 
>  All should now work