Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 May 2011 17:36:10 +0100
From:      Chris Rees <utisoft@gmail.com>
To:        Peter Vereshagin <peter@vereshagin.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Limitting SSH access
Message-ID:  <BANLkTi=JFrVqxCwmzEb6d72s4E19bWciow@mail.gmail.com>
In-Reply-To: <20110504160459.GB5327@external.screwed.box>
References:  <07CAE521148F4E7392202CD6B031F504@jarasc430> <4DC139F7.9080109@infracaninophile.co.uk> <BANLkTinnErTDZYwsV8OgzRfbMTXoHzQeMw@mail.gmail.com> <BANLkTinSmbwOzya3we70Dn-RHb4Xg5sBwA@mail.gmail.com> <BANLkTinTG6koR3H-=6D+Zxkh6cbYNPgcHw@mail.gmail.com> <20110504160459.GB5327@external.screwed.box>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
2011/5/4 Peter Vereshagin <peter@vereshagin.org>:
> Wake me up when September ends, freebsd-questions!
> 2011/05/04 16:47:33 +0100 Chris Rees <utisoft@gmail.com> =3D> To krad :
> CR> > > > > Is it possible to limit the SSH access?
> CR> > > Regarding ssh login, I usually use "rbash" from the ports, that
> CR> restricts
> CR> Or you could have a special /bin-restricted that you nullfs mount int=
o
> CR> ~userN/bin.
>
>
> I personally should like to have a quick recipe on how to create such a l=
imited
> set of binaries ( libraries, mans, etc., each mounted with nullfs =A0read=
-only to
> every such a user's home ) from the 'world' build.
> Some options like the rsync I consider to be a must in some cases so this
> should include the ports availability, isn't it?
>


Hehe, big can of worms here. Plenty of opportunity to break out of a
chroot, as well as the fact that it's largely discredited as a
security mechanism [1].

Someone mentioned Jails earlier, probably a better idea.

Chris

[1] http://kerneltrap.org/Linux/Abusing_chroot



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?BANLkTi=JFrVqxCwmzEb6d72s4E19bWciow>