From owner-freebsd-questions@FreeBSD.ORG Wed Apr 11 16:38:11 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2CC9C16A404 for ; Wed, 11 Apr 2007 16:38:11 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (dsl081-227-250.chi1.dsl.speakeasy.net [64.81.227.250]) by mx1.freebsd.org (Postfix) with ESMTP id C201B13C45B for ; Wed, 11 Apr 2007 16:38:10 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.8/8.12.11) with ESMTP id l3BGbW02004413; Wed, 11 Apr 2007 11:37:32 -0500 (CDT) Message-Id: <6.0.0.22.2.20070411112944.0257b920@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 11 Apr 2007 11:37:00 -0500 To: "Thiago Esteves de Oliveira" From: Derek Ragona In-Reply-To: <56870.146.164.92.1.1176308436.squirrel@www.lamce.coppe.ufr j.br> References: <63726.146.164.92.1.1176218908.squirrel@www.lamce.coppe.ufrj.br> <6.0.0.22.2.20070410105843.02537e38@mail.computinginnovations.com> <56870.146.164.92.1.1176308436.squirrel@www.lamce.coppe.ufrj.br> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Chroot/jail mechanism in ssh and sftp connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 16:38:11 -0000 At 11:20 AM 4/11/2007, Thiago Esteves de Oliveira wrote: >Thanks for the suggestion. I intend to study about this possible solution >but to save time I'd >like to ask you some questions. > >With this software, can I control which accounts "from the unix passwd >file" will be able to log in? Yes just set the shell to a non-login shell for users you don't want to give shell access. Typically I set those user's shell to: /usr/bin/false >If there is a symbolic link in the home directory(jail/chroot) that point >to anywhere out of it, >will the users be able to use this symlink? Will they go out from their >jail/chroot directory this >way? You can actually specify what ftp commands are allowed in the vsftpd.conf file in one server I manage I have set: cmds_allowed=PASV,RETR,QUIT,USER,PASS,STOR,CDDN,CWD,LIST,GET,PUT,DIR,PWD,SYST,LS,TYPE,DELE,FEAT,PBSZ,PROT But you'd probably want to remove any symlinks that shouldn't be there. >Derek Ragona wrote: > > At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote: > >>Hello, > >>I want to use the chroot/jail mechanism in user's ssh and sftp > >>connections. I've read some > >>tutorials and possible solutions to jail/chroot the users into their > own home directories. One >is > >>to install the openssh-portable(with chroot option turned on) from the > ports collection. I've >installed the openssh-portable, but the jail/chroot mechanism didn't work. >I think it requires >some configuration in its sshd_config file, but I'm not sure because I >have found nothing about >jail/chroot in the openssh(sshd_config) man pages. > > > > I have implemented a similar setup using vsftpd from the ports. It > works well for secure ftp >when used with the filezilla client. You can limit the ftp command in the >vsftpd configuration >file so users cannot get out of their home directories, which chroots them >there. You do need to >add one thing to the accounts, which is to change their home directory in >/etc/passwd adding an >additional dot. For instance if a users home directory is: > > /home/user > > > > You'd need to change it to: > > /home/./user > > > > vsftpd is well documented and relatively easy to get setup and running. > > > > -Derek > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.