From owner-freebsd-questions@FreeBSD.ORG Wed May 4 15:27:08 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED8481065678 for ; Wed, 4 May 2011 15:27:08 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6F80F8FC15 for ; Wed, 4 May 2011 15:27:08 +0000 (UTC) Received: by wwk4 with SMTP id 4so4412077wwk.1 for ; Wed, 04 May 2011 08:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PLEYltxMUlfvnGxYpkKRMmE7emlc05/yklwO950h6/k=; b=fUIvVy1BFOG8Sm7BorYSWxhAdoVcVugiDcZcICbWlYUkd+uc34UauIDWi9PKF1Y4Vu v67EykI6h8zvHbefTqhcW6dGZ8m0GBTg8Nmt8UZoEG00NOsLGiChwOdGYvw0kCkmu6Xz 6HlhgwC0Pd2l3DlGlZoeTWLP/NnLpYSreQB3c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=DKzZlagifW9vZZoGltwYFjC4wOctEPb1tAlWA1tgIHn+GwNgcmC/vBm6cHLAFfnfZ7 pMCzsrF/bfI+x7B9WHxQJNFFygJG4EolCwgLarWTIAPTeXYSpHcR5El6+dLKzGjKf726 4bA4sxwcwRuRq9L8Pws2BB+3gWkjp6kvI9X90= MIME-Version: 1.0 Received: by 10.216.143.96 with SMTP id k74mr5064777wej.100.1304522827322; Wed, 04 May 2011 08:27:07 -0700 (PDT) Received: by 10.216.15.73 with HTTP; Wed, 4 May 2011 08:27:07 -0700 (PDT) In-Reply-To: References: <07CAE521148F4E7392202CD6B031F504@jarasc430> <4DC139F7.9080109@infracaninophile.co.uk> Date: Wed, 4 May 2011 16:27:07 +0100 Message-ID: From: krad To: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Limitting SSH access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2011 15:27:09 -0000 On 4 May 2011 12:47, Bal=E1zs M=E1t=E9ffy wrote: > On 4 May 2011 13:35, Matthew Seaman > wrote: > > > On 04/05/2011 10:08, Jack Raats wrote: > > > I have a question concerning SSH op a FreeBSD 7.4-STABLE server. > > > > > > Is it possible to limit the SSH access? > > > I want t o restrict a user to his own home directory. > > > So that if he connects to the server with SSH he only can go to his o= wn > > home dir. > > > Also the same for sftp... > > > > > > > I believe you will need to install a version of OpenSSH from ports to > > get that functionality. It's the CHROOT config option in > > security/openssh-portable > > > > Cheers > > > > Matthew > > > > -- > > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > > Flat 3 > > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > > > > Hello, > > It should work with the base openssh on 7.4. Check your version with sshd > -v. > Here, search for chroot(or use google :)): > http://www.openbsd.org/cgi-bin/man.cgi?query=3Dsshd_config&sektion=3D5 > > Regarding ssh login, I usually use "rbash" from the ports, that restricts > the user from leaving his or her home directory! > > Regards, > > Balazs Mateffy. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > if you want them to be able to get a shell ether then sftp prompt then you will have to go for the rbash option. If you chroot the shell to their home dir they wont have access to any system binaries so wont be able to 'ls' fo= r example. Having said that you could build a tree of all the binaries they need along with all the dependent libraries. This would get a bit cumbersome and wasteful of disk space for lots of users though. You might be better off with jails.