From owner-freebsd-security@FreeBSD.ORG Mon Dec 20 21:27:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EEB116A544 for ; Mon, 20 Dec 2004 21:27:26 +0000 (GMT) Received: from sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06FAC43D45 for ; Mon, 20 Dec 2004 21:27:26 +0000 (GMT) (envelope-from nigel@sourcefire.com) Received: from sourcefire.com (localhost.sourcefire.com [127.0.0.1]) by sourcefire.com (Postfix) with ESMTP id 930A389821; Mon, 20 Dec 2004 16:27:24 -0500 (EST) Received: from localhost (unknown [10.2.3.9]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sourcefire.com (Postfix) with ESMTP id C08B589790; Mon, 20 Dec 2004 16:27:23 -0500 (EST) Date: Mon, 20 Dec 2004 15:23:05 -0600 From: Nigel Houghton To: Brett Glass Message-ID: <20041220212304.GV792@sourcefire.com> Mail-Followup-To: Brett Glass , freebsd-security@freebsd.org References: <6.2.0.14.2.20041220142255.06260ca0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.2.0.14.2.20041220142255.06260ca0@localhost> X-Virus-Scanned: ClamAV using ClamSMTP cc: freebsd-security@freebsd.org Subject: Re: chroot-ing users coming in via SSH and/or SFTP? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2004 21:27:26 -0000 On 0, Brett Glass allegedly wrote: > A client wants me to set up a mechanism whereby his customers can drop files > securely into directories on his FreeBSD server; he also wants them to be > able to retrieve files if needed. The server is already running OpenSSH, > and he himself is using Windows clients (TeraTerm and WinSCP) to access it, > so the logical thing to do seems to be to have his clients send and receive > files via SFTP or SCP. > > The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. > > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a > specific directory. What is the most effective and elegant way to do this? I've > seen some crude patches that allow you to put a /. in the home directory specified > in /etc/passwd, but these are specific to versions of the "portable" OpenSSH > and none of the diffs seem to match FreeBSD's files exactly. > > --Brett Is there something wrong with using the scponly shell for the users? It is available in ports and at http://www.sublimation.org/scponly/ +-----------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team Stewie: You know, I rather like this God fellow. Very theatrical, you know. Pestilence here, a plague there. Omnipotence ...gotta get me some of that.