Date: Mon, 28 Dec 2009 15:58:17 +0000 From: krad <kraduk@googlemail.com> To: Marwan Sultan <dead_line@hotmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: chroot SSH users. Message-ID: <d36406630912280758t15342e2bt89010beb41593583@mail.gmail.com> In-Reply-To: <SNT103-W11AD877FAAD147F2B90A849A7C0@phx.gbl> References: <SNT103-W1707BDD17EFB509D1EB7629A7C0@phx.gbl> <d36406630912270916t765e7dbyec98c5a674263df7@mail.gmail.com> <SNT103-W11AD877FAAD147F2B90A849A7C0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/12/27 Marwan Sultan <dead_line@hotmail.com> > > Dear Krad, > Thank you for your reply, regarding your answer, i have few questions here > > 1- > in sshd_config file the default line is : > Subsystem sftp /usr/libexec/sftp-server > > So should i comment out the line? or just add your line ? > Subsystem sftp internal-sftp > > Either should work, however I only know that the one i put works. > 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot > compile > SSH in the system. Are you asking me to install additional packages? > or to recompile ssh when you wrote : > > "Make sure chroot support was compiled in" > > Default should probably be ok, but again I haven't actually tested it so cant say for certain. If you do ever upgrade the base ssh from ports make sure you have the chroot bit compiled in > 3- SSH users are using passwords not keygen, where do i get the keys for > thier > login? > > Thank you > > - Marwan > > You don't need to use key based auth, but we I generally do. The users have to create them with ssh-keygen. I usually use dsa. If you support windows users stay away from puttygen. It does work fine, its just it tends to generate keys in the wrong format which often leads to confusion. > > > > > > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes > the > > > job easy. > > > > > > How about if I want to chroot the SSH users (not ftp) > > > > > > any easy way? no need for jail installation or anything like this.. > >> > I saw sshd_config file and it has a chrootdirectory but not sure how > to > > > use it.. > > > Anyone? any tips? any easy way? > > > Thank you > > > -Marwan > > > > > > _________________________________________________________________ > > > Hotmail: Free, trusted and rich email service. > > > > > > > > > > > fairly easy if you read the man page 8) I wrote this howto for sun boxes > at > > work but it was using openssh so same rules should apply. Make sure > chroot > > support was compiled in though > > > > > > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > > > 10 are bundled with openssh though. > > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > > 3. Add these lines to sshd config > > > > > Match Group sftponly > > ChrootDirectory /home/chroot/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > 4. Make sure the Subsystem line is this > > > > Subsystem sftp internal-sftp > > > > 5. create the sftponly group on the system > > 6. put the relevent users in this group. be careful as you will stop them > > > being able to ssh in!! > > 7. Dead important this bit !!! > > > > > mkdir -p /home/chroot/<user>/home/<user>/.ssh > > chown -R root /home/chroot/<user> > > chown -R <user> /home/chroot/<user> > > chmod -R 755 /home/chroot/<user> /home/chroot/<user>/home/<user> > > ln -s /home/chroot/<user>/home/<user> /home/. > > > > 8. Put their ssh keys in /home/chroot/<user>/home/<user>/.ssh > > > > > All should now work > > > > If not check /etc/shadow the account might be locked, this just caught me > > out :) > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > ------------------------------ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. <http://clk.atdmt.com/GBL/go/171222985/direct/01/>; >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630912280758t15342e2bt89010beb41593583>