From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 16:20:39 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E6ABF16A403 for ; Wed, 11 Apr 2007 16:20:39 +0000 (UTC) (envelope-from thiago@lamce.coppe.ufrj.edu.br) Received: from lamce.coppe.ufrj.br (anubis.lamce.coppe.ufrj.br [146.164.92.1]) by mx1.freebsd.org (Postfix) with ESMTP id 9203113C48C for ; Wed, 11 Apr 2007 16:20:38 +0000 (UTC) (envelope-from thiago@lamce.coppe.ufrj.edu.br) Received: from www.lamce.coppe.ufrj.br (anubis.lamce.coppe.ufrj.br [146.164.92.1]) by lamce.coppe.ufrj.br (Postfix) with ESMTP id C986B20B41E; Wed, 11 Apr 2007 13:20:36 -0300 (BRT) Received: from 146.164.92.1 (SquirrelMail authenticated user thiago) by www.lamce.coppe.ufrj.br with HTTP; Wed, 11 Apr 2007 13:20:36 -0300 (BRT) Message-ID: <56870.146.164.92.1.1176308436.squirrel@www.lamce.coppe.ufrj.br> Date: Wed, 11 Apr 2007 13:20:36 -0300 (BRT) From: "Thiago Esteves de Oliveira" To: "Derek Ragona" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: <63726.146.164.92.1.1176218908.squirrel@www.lamce.coppe.ufrj.br> <6.0.0.22.2.20070410105843.02537e38@mail.computinginnovations.com> In-Reply-To: <6.0.0.22.2.20070410105843.02537e38@mail.computinginnovations.com> Cc: freebsd-questions@freebsd.org Subject: Re: Chroot/jail mechanism in ssh and sftp connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 16:20:40 -0000 Thanks for the suggestion. I intend to study about this possible solution but to save time I'd like to ask you some questions. With this software, can I control which accounts "from the unix passwd file" will be able to log in? If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it, will the users be able to use this symlink? Will they go out from their jail/chroot directory this way? Derek Ragona wrote: > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: >>Hello, >>I want to use the chroot/jail mechanism in user's ssh and sftp >>connections. I've read some >>tutorials and possible solutions to jail/chroot the users into their own home directories. One is >>to install the openssh-portable(with chroot option turned on) from the ports collection. I've installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires some configuration in its sshd_config file, but I'm not sure because I have found nothing about jail/chroot in the openssh(sshd_config) man pages. > > I have implemented a similar setup using vsftpd from the ports. It works well for secure ftp when used with the filezilla client. You can limit the ftp command in the vsftpd configuration file so users cannot get out of their home directories, which chroots them there. You do need to add one thing to the accounts, which is to change their home directory in /etc/passwd adding an additional dot. For instance if a users home directory is: > /home/user > > You'd need to change it to: > /home/./user > > vsftpd is well documented and relatively easy to get setup and running. > > -Derek >