The cleanest way I have found was using rssh. All you do is change the shell to /usr/bin/rssh. The only issue I have with it is that to jail them to their home directory you need a separate chroot for each folder of the following. I jailed the /home folder and thus only need one jail, if you want each user to be jailed to ~/ as / then you need a separate jail for each user through copying or linking the files.
Ehren Wilson jail components: ./etc ./etc/ld.so.cache ./etc/ld.so.conf ./usr ./usr/bin ./usr/bin/scp ./usr/lib ./usr/lib/i686 ./usr/lib/i686/cmov ./usr/lib/i686/cmov/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/rssh ./usr/lib/rssh/rssh_chroot_helper ./usr/lib/sftp-server > -----Original Message----- > From: Robert Cates [mailto:[EMAIL PROTECTED] > Sent: Monday, June 28, 2004 11:54 AM > To: debian-isp@lists.debian.org > Cc: Andreas John; MB; [EMAIL PROTECTED] > Subject: Re: restricting sftp/ssh login access > > > Hi, and thanks for the quick replies! > Just to be a bit clearer in what I'm asking: I would like to be able to > allow my customers to access their accounts (update their web sites) with > sftp which as I understand it is an extention to (Open)SSH, and > not FTP. I > know for example that the Windows application - WS_FTP Pro - has an option > to use sftp/ssh on port 22 and when I tested it, I landed way up at root > "/". So, I'd like to be able to allow secure access, but with an > ftp client > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > server setup > so that the customer can use SSH to change their password, and that's all > they can do with SSH. > > Is there nothing in the ssh_config or sshd_config which can be set to > restrict sftp access to a designated directory? > > It seems to me that the patched OpenSSH way that Hiren pointed out is > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm > open to other maybe better ways. > > Thanks again, > Robert > ----- Original Message ----- > From: "MB" <[EMAIL PROTECTED]> > To: "Andreas John" <[EMAIL PROTECTED]> > Cc: <debian-isp@lists.debian.org> > Sent: Monday, June 28, 2004 6:47 PM > Subject: Re: restricting sftp/ssh login access > > > > John, > > > > First off, I make a small mistake, the package I used was "jailkit", > > from either: > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > or > > http://freshmeat.net/projects/jailkit/ > > > > It has tons of documentation to help you create a jailed environment, > > including loading your jail with whatever executables needed. > > > > Looks like I simplified my script to one line: > > > > ----------------------- > > #!/bin/bash > > > > /usr/sbin/jk_socketd > > ------------------------ > > > > This produces a group of daemonized processes: > > nobody 13659 13658 0 Apr18 ? 00:00:00 [jk_socketd] > > > > > > but I think that I had a much more elaborate script to > > {start|stop|restart} this daemon, something like: > > > > > > /etc/init.d/chroot_jail > > ------------------------ > > #!/bin/bash > > > > case "$1" in > > start) > > echo -n "Starting Chroot Jail Server: chroot jail" > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > stop) > > echo -n "Stopping Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --pidfile > > /var/run/jk_socketd.pid > > echo "." > > ;; > > > > restart) > > echo -n "Restarting Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > > /var/run/jk_socketd.pid > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > > > *) > > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > > exit 1 > > esac > > > > exit 0 > > --------------------------------------- > > > > > > Mark > > > > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > > Hi Mark! > > > > > > > You will need to run a special daemon (jk_socketd) to log users > > > into the > > > > jail, but that is about the hardest part. I'll post my startup > > > script > > > > if you would like. > > > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > > that > > > patch? It's pain in the ass to maintain an ssh package that is > > > seperate > > > from the debian tree. > > > > > > And yes - please post me that startup-script. Would be nice. > > > > > > Best regards and many pengiuns, > > > Andreas > > > > > > > > > -- > > > Andreas John > > > net-lab GmbH > > > Luisenstrasse 30b > > > 63067 Offenbach > > > Tel: +49 69 85700331 > > > > > > http://www.net-lab.net > > >