From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 21:27:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B841216A4CE for ; Mon, 20 Dec 2004 21:27:16 +0000 (GMT) Received: from amber.aeternal.net (amber.in.markiza.sk [62.168.76.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E911943D2F for ; Mon, 20 Dec 2004 21:27:15 +0000 (GMT) (envelope-from corwin@pleiades.aeternal.net) Received: from localhost (localhost.aeternal.net [127.0.0.1]) by amber.aeternal.net (Postfix) with ESMTP id 8F79BB83D for ; Mon, 20 Dec 2004 22:29:31 +0100 (CET) Received: from amber.aeternal.net ([127.0.0.1]) by localhost (amber.aeternal.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43280-09 for ; Mon, 20 Dec 2004 22:29:29 +0100 (CET) Received: from pleiades.aeternal.net (pleiades.markiza.sk [192.168.0.7]) by amber.aeternal.net (Postfix) with ESMTP id 2ADBEB818 for ; Mon, 20 Dec 2004 22:29:29 +0100 (CET) Received: from pleiades.aeternal.net (localhost.aeternal.net [127.0.0.1]) by pleiades.aeternal.net (Postfix) with ESMTP id B8BA87E825 for ; Mon, 20 Dec 2004 22:27:11 +0100 (CET) Received: (from corwin@localhost) by pleiades.aeternal.net (8.13.1/8.13.1/Submit) id iBKLRAJ3001198 for freebsd-security@freebsd.org; Mon, 20 Dec 2004 22:27:10 +0100 (CET) (envelope-from corwin) Date: Mon, 20 Dec 2004 22:27:10 +0100 From: martin hudec To: freebsd-security@freebsd.org Message-ID: <20041220212710.GA678@pleiades.aeternal.net> References: <6.2.0.14.2.20041220142255.06260ca0@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220142255.06260ca0@localhost> X-Copyright: (C) 2004 Martin Hudec X-Operating-System: FreeBSD pleiades.aeternal.net 6.0-CURRENT i386 X-PGP-Key: http://www.aeternal.net/corwin_aeternal.asc User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new at aeternal.net Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martin hudec List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 21:27:16 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Mon, Dec 20, 2004 at 02:23:02PM -0700 or thereabouts, Brett Glass wrote: > The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. >=20 > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to ha= ve a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into = a=20 > specific directory. What is the most effective and elegant way to do this= ? I've=20 > seen some crude patches that allow you to put a /. in the home directory = specified > in /etc/passwd, but these are specific to versions of the "portable" Open= SSH > and none of the diffs seem to match FreeBSD's files exactly.=20 go for /usr/ports/shells/scponly, it also has ability to use chroot. Cheers, Martin --=20 martin hudec * 421 907 303 393 * corwin@aeternal.net * http://www.aeternal.net "Nothing travels faster than the speed of light with the possible=20 exception of bad news, which obeys its own special laws." Douglas Adams, "The Hitchhiker's Guide to the Galaxy" --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBx0OuZYEZIv+rgggRAuaTAJ0eAh9wMsjGyt6alDraKN33mT41HwCeNSXH 3fKPFHtUUX6dEHi2pOQa2fw= =s0oL -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L--