ssh - restricted shell
Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? I thought I ran into instructions once for doing this, but I can't find anything right now. Or was I thinking of scponly ? That might do it, except we do need to set him up to to run some scripts within his home directory after he uploads stuff via scp. Thanks, DW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
On Wed, Mar 30, 2005 at 04:02:39PM -0500, Duane Winner wrote: Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? You could try using 'bash -r' as the shell for this user. The -r option puts bash in restricted mode. See bash(1). Roland -- R.F. Smith /\ASCII Ribbon Campaign r s m i t h @ x s 4 a l l . n l \ /No HTML/RTF in e-mail http://www.xs4all.nl/~rsmith/ X No Word docs in e-mail public key: http://www.keyserver.net / \Respect for open standards pgpsGrByDG0xn.pgp Description: PGP signature
Re: ssh - restricted shell
On Wednesday 30 March 2005 04:02 pm, Duane Winner wrote: Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? I thought I ran into instructions once for doing this, but I can't find anything right now. Or was I thinking of scponly ? That might do it, except we do need to set him up to to run some scripts within his home directory after he uploads stuff via scp. Thanks, DW DW, I thought this was accomplished when initially setting up a user's account? I'm under the impression that when a user clients sshd, s/he still can't go beyong the boundaries of his/her existing account on the server. Of course: if $impression = delusion then someone _please_ correct me! fi :O WizLayer ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
On Wed, 30 Mar 2005 16:02:39 -0500 Duane Winner [EMAIL PROTECTED] wrote: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. i'm a jail-fan, go for a ssh-only-jail :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
On March 30, 2005 04:02 pm, Duane Winner wrote: Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? I thought I ran into instructions once for doing this, but I can't find anything right now. Or was I thinking of scponly ? That might do it, except we do need to set him up to to run some scripts within his home directory after he uploads stuff via scp. if you only want scp to work, then you can use this as the shell: /usr/lib/misc/sftp-server worked for me. however, if they need a shell, you'll have to chroot() the shell and i don't know how to do that. i've never bothered to learn 'cause i've heard that they're easy to break out of anyway. -- the reasonable man adapts himself to the world; the unreasonable man persists in trying to adapt the world to himself. therefore, all progress depends on the unreasonable man. - george bernard shaw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
On March 30, 2005 04:51 pm, daniel wrote: if you only want scp to work, then you can use this as the shell: /usr/lib/misc/sftp-server correction. that was for gentoo-linux. for freebsd, you can use: /usr/local/libexec/sftp-server or /usr/libexec/sftp-server depending on if you're using openssh from ports or from the base install -- i would not be a capitalist, i would be a man; you cannot be both at the same time. - eugene debs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
Couldn't you put everyone else into the same group, except for the outsider? Then you could make secret directories -rwx. Directories without execute permission cannot be listed. Regards, Juan On Wed, 30 Mar 2005, Duane Winner wrote: Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? I thought I ran into instructions once for doing this, but I can't find anything right now. Or was I thinking of scponly ? That might do it, except we do need to set him up to to run some scripts within his home directory after he uploads stuff via scp. Thanks, DW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ssh - restricted shell
wizlayer on 2005-03-30 16:28:55 -0500: I thought this was accomplished when initially setting up a user's account? I'm under the impression that when a user clients sshd, s/he still can't go beyong the boundaries of his/her existing account on the server. Of course: if $impression = delusion then someone _please_ correct me! fi :O If you mean 'outside of his home directory', then yes, a user can go outside 'his/her existing account on the server'. He can't read, modify, or execute files he doesn't have permission for, however. pgpDD972dp4Vc.pgp Description: PGP signature
Re: ssh - restricted shell
On Wed, 30 Mar 2005, Duane Winner wrote: We have an outsider who we want to allow to ssh into this server and do some work. Althougth I have never done it, you could search documentation on doin jails in FreeBSD. I believe Bash has a restricted shell of some sort. I also have seen restricted shells in Freshmeat.net (about 2 weeks ago saw one updated). Based on my very limited knowledge of the topic I would say that restricted shell is the easiest, but jail is the safest. -- http://stringsutils.com Utility for developers. Compute length, MD5, CRC and more. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]