Hi, and thanks for the quick replies! Just to be a bit clearer in what I'm asking: I would like to be able to allow my customers to access their accounts (update their web sites) with sftp which as I understand it is an extention to (Open)SSH, and not FTP. I know for example that the Windows application - WS_FTP Pro - has an option to use sftp/ssh on port 22 and when I tested it, I landed way up at root "/". So, I'd like to be able to allow secure access, but with an ftp client like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup so that the customer can use SSH to change their password, and that's all they can do with SSH.
Is there nothing in the ssh_config or sshd_config which can be set to restrict sftp access to a designated directory? It seems to me that the patched OpenSSH way that Hiren pointed out is workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm open to other maybe better ways. Thanks again, Robert ----- Original Message ----- From: "MB" <[EMAIL PROTECTED]> To: "Andreas John" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 6:47 PM Subject: Re: restricting sftp/ssh login access > John, > > First off, I make a small mistake, the package I used was "jailkit", > from either: > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > or > http://freshmeat.net/projects/jailkit/ > > It has tons of documentation to help you create a jailed environment, > including loading your jail with whatever executables needed. > > Looks like I simplified my script to one line: > > ----------------------- > #!/bin/bash > > /usr/sbin/jk_socketd > ------------------------ > > This produces a group of daemonized processes: > nobody 13659 13658 0 Apr18 ? 00:00:00 [jk_socketd] > > > but I think that I had a much more elaborate script to > {start|stop|restart} this daemon, something like: > > > /etc/init.d/chroot_jail > ------------------------ > #!/bin/bash > > case "$1" in > start) > echo -n "Starting Chroot Jail Server: chroot jail" > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > stop) > echo -n "Stopping Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/jk_socketd.pid > echo "." > ;; > > restart) > echo -n "Restarting Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > /var/run/jk_socketd.pid > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > > *) > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > exit 1 > esac > > exit 0 > --------------------------------------- > > > Mark > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > Hi Mark! > > > > > You will need to run a special daemon (jk_socketd) to log users > > into the > > > jail, but that is about the hardest part. I'll post my startup > > script > > > if you would like. > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > that > > patch? It's pain in the ass to maintain an ssh package that is > > seperate > > from the debian tree. > > > > And yes - please post me that startup-script. Would be nice. > > > > Best regards and many pengiuns, > > Andreas > > > > > > -- > > Andreas John > > net-lab GmbH > > Luisenstrasse 30b > > 63067 Offenbach > > Tel: +49 69 85700331 > > > > http://www.net-lab.net > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]