Caging sftp users in SuSE 10.3?
Hi All, Is there a way to restrict scp and sftp users to their own directories in 10.3? The ChrootDirectory option in sshd_config is only available as of SLES 11. Ray Mrohs U.S. Department of Justice 202-307-6896 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Caging sftp users in SuSE 10.3?
On 10/20/2010 at 11:07 AM, Mrohs, Ray (JMD) ray.mr...@usdoj.gov wrote: Hi All, Is there a way to restrict scp and sftp users to their own directories in 10.3? The ChrootDirectory option in sshd_config is only available as of SLES 11. Not that I'm aware of. Be aware that the chroot function in ssh 5 applies to SSH sessions as well, not just scp and sftp. If you don't want users being able to really access the system, use secure FTP instead. The chroot function is available in vsftp. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Caging sftp users in SuSE 10.3?
Is there a way to restrict scp and sftp users to their own directories in 10.3? The ChrootDirectory option in sshd_config is only available as of SLES 11. Not that I'm aware of. Google for scponly. You'll find a couple articles describing how to do this pre-sshd v5. -- db -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Caging sftp users in SuSE 10.3?
Not sure... it might be possible using AppArmor somehow. I know that sftp can use the a subsystem executable and in theory a copied sftp-server backend subsystem with some kind of AppArmor logic might do the trick. Just thinking out loud. From: Mrohs, Ray (JMD) ray.mr...@usdoj.gov To: LINUX-390@vm.marist.edu Date: 10/20/2010 10:09 AM Subject:Caging sftp users in SuSE 10.3? Sent by:Linux on 390 Port LINUX-390@vm.marist.edu Hi All, Is there a way to restrict scp and sftp users to their own directories in 10.3? The ChrootDirectory option in sshd_config is only available as of SLES 11. Ray Mrohs U.S. Department of Justice 202-307-6896 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ inline: graycol.gif
Re: Caging sftp users in SuSE 10.3?
On 21 October 2010 04:07, Mrohs, Ray (JMD) ray.mr...@usdoj.gov wrote: Hi All, Is there a way to restrict scp and sftp users to their own directories in 10.3? The ChrootDirectory option in sshd_config is only available as of SLES 11. Not SuSE specific... one of our requirements was to have the users segregated from each other as well as from the actual host file-system. We ended up compiling ssh 5.5 w/ sftp only for a certain user-group; they get jailed into their home, and have no notion of each others existence. Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/