Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Mar 2008 18:16:10 -0400
From:      Jerry McAllister <jerrymc@msu.edu>
To:        "Philip M. Gollucci" <pgollucci@riderway.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: security/openssh-portable
Message-ID:  <20080311221610.GB2418@gizmo.acns.msu.edu>
In-Reply-To: <47D702EC.2090908@riderway.com>
References:  <47D702EC.2090908@riderway.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci wrote:

> Hi,
> 
> I'm setting up a 'chrooted' SFTP only set of users:
> 
> /etc/make.conf:
> .if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
>   WITH_SUID_SSH         =yes
>   WITH_OPENSSH_CHROOT   =yes
>   WITH_HPN              =yes
>   WITH_OVERWRITE_BASE	=yes
> .endif
> 
> /etc/rc.conf:
> sshd_enable="NO"
> openssh_enable="YES"
> 
> /etc/passwd:
> user:*:3000:3000::0:0:F L:/foo/./user:/bin/sh
> 
> Access will be with ssh dsa keys only.
> 
> What is the best way to make this SFTP only and not SSH?
> 1).ssh/authorization?
> 2) change user's shell to /usr/local/libexec/sftp-server
> 3) change user's shell to a custom C wrapper around [2]
> 4) a combination of them

The usual thing is make the shell   /bin/nologin

////jerry

> 
> -- 
> ------------------------------------------------------------------------
> Philip M. Gollucci (philip@ridecharge.com)
> o:703.549.2050x206
> Senior System Admin - Riderway, Inc.
> http://riderway.com / http://ridecharge.com
> 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88 A0BF
> 
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080311221610.GB2418>