Date: Thu, 7 Sep 2006 09:35:08 -0400 From: "David Robillard" <david.robillard@gmail.com> To: "Chad Leigh -- Shire.Net LLC" <chad@shire.net> Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: need a restricted shell Message-ID: <226ae0c60609070635n7e901beewa21f0757d2ab99ec@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> I am looking for a shell that will allow Subversion to be run over > ssh but not allow interactive login or if it allows interactive > login, will only allow Subversion commands to be run... Any ideas > on how to accomplish this? Hi Chad, You could install the shells/scponly port and build it with it's chroot option. (i.e. sudo make -DWITH_SCPONLY_CHROOT install) Don't run the `make clean` just yet, because you will need the "setup_chroot.sh" script which is inside the work/scponly-<port_version> directory. Use the script to create a chroot directory. Then populate this new chroot directory with the files required by the commands and libraries which you want to give to your users (such as Subversion). Next, use vipw(8) to assign /usr/local/sbin/scponlyc as the shell and the chroot directory for the user(s) which you want to limit only to your Subversion commands. Assign a password to those users then test if you can connect and use the Subversion commands. Basically, this is Hack number 63 on page 269 in the book "BSD Hacks, 100 Industrial-Strength Tips & Tools" by Dru Lavigne published by O'Reilly. (ISBN: 0-596-00679-9). Also, to further restrict access to your machine, configure sshd(8) to allow only a limited subset of users. See AllowUsers and AllowGroups in sshd_config(5) for this. Finally, if you happen to know the origin of the connections, then configure TCP_WRAPPERS via /etc/hosts.allow to limit ssh connections. See hosts_access(5) and section 14.6 of the FreeBSD Handbook for info on how to set this up. Alright, if you have any questions, please be my guest and send them up to me. Cheers! David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60609070635n7e901beewa21f0757d2ab99ec>