From owner-freebsd-questions@FreeBSD.ORG Mon Dec 28 15:58:23 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E492106566B for ; Mon, 28 Dec 2009 15:58:23 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 186518FC1E for ; Mon, 28 Dec 2009 15:58:22 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so74031fgg.13 for ; Mon, 28 Dec 2009 07:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=f1yTMx+ny/59JnK7YZdKVEwZqTMLY28oykTLzJT/ccE=; b=t/kkE6mPH0NrZwtO6x0XFxlz1qlXIr2d3kjrKXG5scfBeRaNZ4WHHvM+3rjGcLu5Q4 OXm8c3DaqejKJ+tdSm5fTPBni1JjV5X9VUTtTkqpXw7uGW1C9YjpGgVOUfzScvwucVpF 1WMK32nNLlK5AC0OJtQUjg5E702LgNz/oDyWs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mQlH89gIRM0bcU8a62BZWFj/67derlL1uGS8gaNY0jaPcdv1xpavHpk16YE2NpQMn1 2TgehWW0lWkx0AeSpneLzycMNThbYMIZCVTPldt3ZckcUBoAV7dB5RfYp0+qs6GG4jf1 kHHmuqBjsqWlOrKCK5uODlzlIK+uh6QuQJYxA= MIME-Version: 1.0 Received: by 10.239.168.138 with SMTP id k10mr1955352hbe.100.1262015898113; Mon, 28 Dec 2009 07:58:18 -0800 (PST) In-Reply-To: References: Date: Mon, 28 Dec 2009 15:58:17 +0000 Message-ID: From: krad To: Marwan Sultan Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Questions Subject: Re: chroot SSH users. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2009 15:58:23 -0000 2009/12/27 Marwan Sultan > > Dear Krad, > Thank you for your reply, regarding your answer, i have few questions here > > 1- > in sshd_config file the default line is : > Subsystem sftp /usr/libexec/sftp-server > > So should i comment out the line? or just add your line ? > Subsystem sftp internal-sftp > > Either should work, however I only know that the one i put works. > 2- the SSH is the default one that comes with FreeBSD, I ofcourse didnot > compile > SSH in the system. Are you asking me to install additional packages? > or to recompile ssh when you wrote : > > "Make sure chroot support was compiled in" > > Default should probably be ok, but again I haven't actually tested it so cant say for certain. If you do ever upgrade the base ssh from ports make sure you have the chroot bit compiled in > 3- SSH users are using passwords not keygen, where do i get the keys for > thier > login? > > Thank you > > - Marwan > > You don't need to use key based auth, but we I generally do. The users have to create them with ssh-keygen. I usually use dsa. If you support windows users stay away from puttygen. It does work fine, its just it tends to generate keys in the wrong format which often leads to confusion. > > > > > > > Hello people, > > > > Im on FreeBSD 7.2-R P5 > > > > > > Its easy to chroot ftp users - adding users to /etc/ftpchroot -makes > the > > > job easy. > > > > > > How about if I want to chroot the SSH users (not ftp) > > > > > > any easy way? no need for jail installation or anything like this.. > >> > I saw sshd_config file and it has a chrootdirectory but not sure how > to > > > use it.. > > > Anyone? any tips? any easy way? > > > Thank you > > > -Marwan > > > > > > _________________________________________________________________ > > > Hotmail: Free, trusted and rich email service. > > > > > > > > > > > fairly easy if you read the man page 8) I wrote this howto for sun boxes > at > > work but it was using openssh so same rules should apply. Make sure > chroot > > support was compiled in though > > > > > > 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris > > > 10 are bundled with openssh though. > > 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) > > 3. Add these lines to sshd config > > > > > Match Group sftponly > > ChrootDirectory /home/chroot/%u > > X11Forwarding no > > AllowTcpForwarding no > > ForceCommand internal-sftp > > > > 4. Make sure the Subsystem line is this > > > > Subsystem sftp internal-sftp > > > > 5. create the sftponly group on the system > > 6. put the relevent users in this group. be careful as you will stop them > > > being able to ssh in!! > > 7. Dead important this bit !!! > > > > > mkdir -p /home/chroot//home//.ssh > > chown -R root /home/chroot/ > > chown -R /home/chroot/ > > chmod -R 755 /home/chroot/ /home/chroot//home/ > > ln -s /home/chroot//home/ /home/. > > > > 8. Put their ssh keys in /home/chroot//home//.ssh > > > > > All should now work > > > > If not check /etc/shadow the account might be locked, this just caught me > > out :) > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > > > ------------------------------ > Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up > now. >