Re: users ssh access
On Fri, 2002-11-22 at 14:24, Ed Wilts wrote: > On Fri, Nov 22, 2002 at 01:13:41PM -, Will Mc Donald wrote: > > > > http://chrootssh.sourceforge.net/ > > This doesn't appear very practical. With hundreds of users (I'm over > 500 now), I'd have to have hundres of copies of the shared libraries and > executables that every user needs. When you say "executables", are you expressing the intention of allowing users shell access, but chrooting them? Because... that's sorta how a chroot works. Everything that users need has to exist inside the chroot. > The current versions of wu-ftpd > don't need that to support chroot'ed users. Yeah, but wu-ftpd has everything it needs built-in to the binary. In order for ssh to do that, there would have to be a shell and fileutils compiled in to the ssh binary. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Fri, Nov 22, 2002 at 01:13:41PM -, Will Mc Donald wrote: > From: "Alan Peery" <[EMAIL PROTECTED]> > > > It seems a relatively simple set of mods for sshd, and I am surprised > > that the OpenSSH people aren't interested. Perhaps there is something > > in the structure of the code that would make it unexpectedly difficult. > > http://chrootssh.sourceforge.net/ This doesn't appear very practical. With hundreds of users (I'm over 500 now), I'd have to have hundres of copies of the shared libraries and executables that every user needs. The current versions of wu-ftpd don't need that to support chroot'ed users. The author also claims that it might be possible to break out of the chroot, and this is something I simply can't afford. To add extra complication to the issue, the chrootsh patch is maintained by a single individual. This makes it a little tougher to support if a new rpm comes out from Red Hat. I wouldn't be able to use up2date but would have to get the source rpm, download the latest patch from sourceforge, and hope that it's compatible. If it isn't yet, I'm stuck between a rock and a hard place. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
> On Thu, 2002-11-21 at 19:37, Steve Howard wrote: >> I'm sorry, I did not give much information with my question. I am >> running RedHat8. I would like to allow some of my friends to have an >> account on my machine. Some of them do not have access to a server >> with bandwidth. I would like for them to be able to ftp in/out to >> account, have a html folder...and when they telnet/ssh in to be only >> able to see or use their /home/user directory. I have ftp set up this >> way. Can telnet/ssh be set this way also? > > > FreeBSD has something called jail that will do that.. does Linux not > have this? I did a man jail and got nothing back... but I'm not sure > jail doesn't exist in the linux world. > > Anthony > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list Actually this is called a chroot/jail and uses a seperate partition to limit the amount of access given to any one process provided it is run as a unique user. A little tip from my experiences, each service is unique (ie. req's specific libs to operate. These must be included in the jail. -- Jesse Jacobs, Supa' Noob :) -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, 2002-11-21 at 19:37, Steve Howard wrote: > I'm sorry, I did not give much information with my question. I am > running RedHat8. I would like to allow some of my friends to have an > account on my machine. Some of them do not have access to a server with > bandwidth. I would like for them to be able to ftp in/out to account, > have a html folder...and when they telnet/ssh in to be only able to see > or use their /home/user directory. I have ftp set up this way. Can > telnet/ssh be set this way also? FreeBSD has something called jail that will do that.. does Linux not have this? I did a man jail and got nothing back... but I'm not sure jail doesn't exist in the linux world. Anthony -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
From: "Alan Peery" <[EMAIL PROTECTED]> > It seems a relatively simple set of mods for sshd, and I am surprised > that the OpenSSH people aren't interested. Perhaps there is something > in the structure of the code that would make it unexpectedly difficult. http://chrootssh.sourceforge.net/ >From the FAQ... Q: Why isn't this in the releases of OpenSSH? A: Because the OpenSSH developer are very smart guys. They've decided that chrooting should occur outside of the daemon so that the user is chrooted in the system account, not just because sshd found a '.' somewhere in their home dir. Though the patch works very well, it's limitation to working in only OpenSSH is what makes it undesirable to the developers. It's already in the process of being done. I'm not sure how complete it is, I've helped install it on Solaris but not got round to it yet on linux. Presumably some combination of chrooted ssh/sftp/scp with disk quotas would do the trick? Will. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
Ed Wilts wrote: Here's the problem, and I'll let you suggest some solutions that are actually secure. Sounds fun. :-) Allow hundreds of authenticated users scattered throughout the Internet to transfer files. Restrict uploads to pre-determined directories and downloads to other pre-determined directories. Allow automated processes to easily do this. Trivial to do with wu-ftpd and the ftpaccess file, but I've never found a way to allow an scp to honor any sort of directory restrictions. If any user has scp/sftp access, then they can simply use this or remote command execution to grab my system password file, This sounds like a call for modifying the source of sshd. After sshd authenicates a user, it should be able to look at the users home directory in /etc/passwd. If it contains the character pattern that indicates to ftpd that it should operate chroot'd (././dir IIRC), then disallow remote command execution, run a different command/function when the ssh stream contains file transfers that operates chroot'd, and disallow any attempt at port forwarding. It seems a relatively simple set of mods for sshd, and I am surprised that the OpenSSH people aren't interested. Perhaps there is something in the structure of the code that would make it unexpectedly difficult. Alan -- Alan Peery [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, Nov 21, 2002 at 10:31:21PM -0600 or thereabouts, Ed Wilts wrote: > > Here's the problem, and I'll let you suggest some solutions that are > actually secure. If you can solve this, you're a better techie than I am. > Allow hundreds of authenticated users scattered throughout the > Internet to transfer files. Restrict uploads to pre-determined > directories and downloads to other pre-determined directories. Allow > automated processes to easily do this. Trivial to do with wu-ftpd and > the ftpaccess file, but I've never found a way to allow an scp to honor > any sort of directory restrictions. If any user has scp/sftp access, > Did I mention that I don't trust these users, even though they're my > customers. I don't expect them to do anything nasty, but that doesn't > mean I trust them either. No user should *ever* be able to see the data > of any other user unless authorized (typically via group membership). > > > Failing that, the restricted shell approaches might help. > > If ssh is enabled, I believe that any user can simply do this from > another box: > ssh > and the login shell is bypassed. I do not believe that you can prevent > the command line from being executed, even if the users have a > restricted shell. login is not used for remote command execution. Might try a different approach, that is using UML, user mode linux, which is basically Linux within Linux. This will allow you to set up a full virtual Linux safely within your main linux, and outside users will only have access to their areas and their FTP, in their Linux, leaving your RH untouched. This allows them their own virtual resources, including a root filesystem, swap, etc. Could very easily set up FTP within the virtual linux for this. http://usermodelinux.org/ > Suggestions greatly appreciated. -- Best regards, Gary sed '/^[when][coders]/!d /^...[discover].$/d /^..[real].[code]$/!d ' /usr/share/dict/words -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, Nov 21, 2002 at 10:17:11PM -0500, R P Herrold wrote: > On Thu, 21 Nov 2002, Ed Wilts wrote: > > > On Thu, Nov 21, 2002 at 07:02:27PM -0500, Steve Howard wrote: > > > Can I set an upper level directory, /home/user, for example for each > > > user? I have been able to do this with ftp, but can I do it with ssh? > > > > You mean you want to chroot the user so that they can't transfer files > > outside of that directory? If so, the answer is no, openssh does not > > support this. Any user that has ssh access to your system (or sftp via > > the openssh server) has regular access to every file, including your world > > readable password file. This limitation is why I claim that ftp is > > ehhh? If you don't trust them, keep them off your hosts. If > you can't keep them off a host you admin, don't keep anything > on _that_ host or in that network segment you wouldn't share > freely. Here's the problem, and I'll let you suggest some solutions that are actually secure. If you can solve this, you're a better techie than I am. Allow hundreds of authenticated users scattered throughout the Internet to transfer files. Restrict uploads to pre-determined directories and downloads to other pre-determined directories. Allow automated processes to easily do this. Trivial to do with wu-ftpd and the ftpaccess file, but I've never found a way to allow an scp to honor any sort of directory restrictions. If any user has scp/sftp access, then they can simply use this or remote command execution to grab my system password file, something they certainly can't get via wu-ftpd. Did I mention that I don't trust these users, even though they're my customers. I don't expect them to do anything nasty, but that doesn't mean I trust them either. No user should *ever* be able to see the data of any other user unless authorized (typically via group membership). > Failing that, the restricted shell approaches might help. If ssh is enabled, I believe that any user can simply do this from another box: ssh and the login shell is bypassed. I do not believe that you can prevent the command line from being executed, even if the users have a restricted shell. login is not used for remote command execution. Suggestions greatly appreciated. .../Ed -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, 21 Nov 2002, Ed Wilts wrote: > On Thu, Nov 21, 2002 at 07:02:27PM -0500, Steve Howard wrote: > > Can I set an upper level directory, /home/user, for example for each > > user? I have been able to do this with ftp, but can I do it with ssh? > > You mean you want to chroot the user so that they can't transfer files > outside of that directory? If so, the answer is no, openssh does not > support this. Any user that has ssh access to your system (or sftp via > the openssh server) has regular access to every file, including your world > readable password file. This limitation is why I claim that ftp is ehhh? If you don't trust them, keep them off your hosts. If you can't keep them off a host you admin, don't keep anything on _that_ host or in that network segment you wouldn't share freely. Wrapper relentlessly. tripwire. syslog the heck out of it to a separate loghost; remove binaries which you can; trap the others so that alarms go off on access out of the chroot; once tripped, lock the account, pending termination as a violation of the AUP. And remember that there is always some local exploit you've not heard of, so run it down an isolated P-t-P with full coverage 'shadow' logging and 'snort' analysis. Pay attention with logwatch and other reduction tools. Failing that, the restricted shell approaches might help. These come to mind. Restricted bourne SHell: (man -s 1m rsh) Restricted ksh (rksh) chroot pdksh (Public Domain Korn Shell) available from http://www.cs.mun.ca/~michael/pdksh/ rbash http://online.securityfocus.com/infocus/1575 http://www.ssh.com/support/faq/secureshellserver/qa_191_687.html http://www.carcosa.net/jason/software/utilities/uchroot/readme.html -- Russ Herrold -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
Ok, along this line of thinking, ftp is a protocol that is for transfering files, yet the ftp deamon allows for setting a upper level directory. The ssh protocol is for encrypted command line access, why can't the ssh deamon provide access control also? Thank you very much, Steve >>> [EMAIL PROTECTED] 11/21/02 20:26 PM >>> On Thu, 21 Nov 2002, Ed Wilts wrote: > On Thu, Nov 21, 2002 at 07:02:27PM -0500, Steve Howard wrote: > > Can I set an upper level directory, /home/user, for example for each > > user? I have been able to do this with ftp, but can I do it with ssh? > > You mean you want to chroot the user so that they can't transfer files > outside of that directory? If so, the answer is no, openssh does not > support this. Any user that has ssh access to your system (or sftp via > the openssh server) has regular access to every file, including your world > readable password file. This limitation is why I claim that ftp is > *more* secure than ssh for file transfers in many/most environments. > > For some very odd reason, the openssh aren't too eager to fix this and > when I raised this with the Red Hat openssh package maintainer, he > wasn't eagar either since he felt that if the openssh group wasn't going > to do, he shouldn't either. > If you are so paranoid you must use some restricted shell, or do a chroot (but then you must provide some binaries within), etc. Personally I don't think it's the job of ssh to do this, I think is the job of the shell, ssh provides just the secure communication channel (i.e. overloading it will be both difficult and unnecessary) Cheers, -- Ryurick M. Hristev mailto:[EMAIL PROTECTED] Computer Systems Manager University of Canterbury, Physics & Astronomy Dept., New Zealand -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, Nov 21, 2002 at 07:37:02PM -0500, Steve Howard wrote: > I'm sorry, I did not give much information with my question. I am > running RedHat8. I would like to allow some of my friends to have an > account on my machine. Some of them do not have access to a server with > bandwidth. I would like for them to be able to ftp in/out to account, > have a html folder...and when they telnet/ssh in to be only able to see > or use their /home/user directory. I have ftp set up this way. Can > telnet/ssh be set this way also? In a word, no. Once they have telnet and/or ssh access, they can grab your passwd file or any other file that their account has read access to. They can fill your /tmp or /var/tmp directories, perhaps stopping your system from doing other things that you planned on it doing (like support your own work or e-mail). .../Ed -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, 21 Nov 2002, Ed Wilts wrote: > On Thu, Nov 21, 2002 at 07:02:27PM -0500, Steve Howard wrote: > > Can I set an upper level directory, /home/user, for example for each > > user? I have been able to do this with ftp, but can I do it with ssh? > > You mean you want to chroot the user so that they can't transfer files > outside of that directory? If so, the answer is no, openssh does not > support this. Any user that has ssh access to your system (or sftp via > the openssh server) has regular access to every file, including your world > readable password file. This limitation is why I claim that ftp is > *more* secure than ssh for file transfers in many/most environments. > > For some very odd reason, the openssh aren't too eager to fix this and > when I raised this with the Red Hat openssh package maintainer, he > wasn't eagar either since he felt that if the openssh group wasn't going > to do, he shouldn't either. > If you are so paranoid you must use some restricted shell, or do a chroot (but then you must provide some binaries within), etc. Personally I don't think it's the job of ssh to do this, I think is the job of the shell, ssh provides just the secure communication channel (i.e. overloading it will be both difficult and unnecessary) Cheers, -- Ryurick M. Hristev mailto:[EMAIL PROTECTED] Computer Systems Manager University of Canterbury, Physics & Astronomy Dept., New Zealand -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
look up chroot jail in Google I have installed it and it works great. On Thu, 21 Nov 2002, Steve Howard wrote: > I'm sorry, I did not give much information with my question. I am > running RedHat8. I would like to allow some of my friends to have an > account on my machine. Some of them do not have access to a server with > bandwidth. I would like for them to be able to ftp in/out to account, > have a html folder...and when they telnet/ssh in to be only able to see > or use their /home/user directory. I have ftp set up this way. Can > telnet/ssh be set this way also? > > Thank you, > Steve > > Steve Howard > Software Trainer > Information Technology Services > Kennesaw State University > 770-423-6895 > > >>> [EMAIL PROTECTED] 11/21/02 19:26 PM >>> > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Steve Howard wrote: > | Can I set an upper level directory, /home/user, for example for each > | user? I have been able to do this with ftp, but can I do it with ssh? > > Are you referring to chrooting the user to their home directory from a > shell > or for SCP file access? > > - -- > Rick Johnson, RHCE - [EMAIL PROTECTED] > Linux/WAN Administrator - Medata, Inc. > PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.1 (MingW32) > Comment: Signed and/or encpryted for everyone's protection. > > iEYEARECAAYFAj3dd7kACgkQIgQdhlSHZgPsAgCeM5Dk5g1CU9jU1I9nuzk8nDl2 > QhgAoJmzMWgqqU6S+X6BKLsUq8NqTQwA > =pmgU > -END PGP SIGNATURE- > > > > -- Respectfully, Joel Webb WebbGroup Network Systems www.webbgroup.net 336.841.7241 336.841.6068 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
I'm sorry, I did not give much information with my question. I am running RedHat8. I would like to allow some of my friends to have an account on my machine. Some of them do not have access to a server with bandwidth. I would like for them to be able to ftp in/out to account, have a html folder...and when they telnet/ssh in to be only able to see or use their /home/user directory. I have ftp set up this way. Can telnet/ssh be set this way also? Thank you, Steve Steve Howard Software Trainer Information Technology Services Kennesaw State University 770-423-6895 >>> [EMAIL PROTECTED] 11/21/02 19:26 PM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve Howard wrote: | Can I set an upper level directory, /home/user, for example for each | user? I have been able to do this with ftp, but can I do it with ssh? Are you referring to chrooting the user to their home directory from a shell or for SCP file access? - -- Rick Johnson, RHCE - [EMAIL PROTECTED] Linux/WAN Administrator - Medata, Inc. PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Signed and/or encpryted for everyone's protection. iEYEARECAAYFAj3dd7kACgkQIgQdhlSHZgPsAgCeM5Dk5g1CU9jU1I9nuzk8nDl2 QhgAoJmzMWgqqU6S+X6BKLsUq8NqTQwA =pmgU -END PGP SIGNATURE- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve Howard wrote: | Can I set an upper level directory, /home/user, for example for each | user? I have been able to do this with ftp, but can I do it with ssh? Are you referring to chrooting the user to their home directory from a shell or for SCP file access? - -- Rick Johnson, RHCE - [EMAIL PROTECTED] Linux/WAN Administrator - Medata, Inc. PGP Public Key: https://mail.medata.com/pgp/rjohnson.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Signed and/or encpryted for everyone's protection. iEYEARECAAYFAj3dd7kACgkQIgQdhlSHZgPsAgCeM5Dk5g1CU9jU1I9nuzk8nDl2 QhgAoJmzMWgqqU6S+X6BKLsUq8NqTQwA =pmgU -END PGP SIGNATURE- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
Re: users ssh access
On Thu, Nov 21, 2002 at 07:02:27PM -0500, Steve Howard wrote: > Can I set an upper level directory, /home/user, for example for each > user? I have been able to do this with ftp, but can I do it with ssh? You mean you want to chroot the user so that they can't transfer files outside of that directory? If so, the answer is no, openssh does not support this. Any user that has ssh access to your system (or sftp via the openssh server) has regular access to every file, including your world readable password file. This limitation is why I claim that ftp is *more* secure than ssh for file transfers in many/most environments. For some very odd reason, the openssh aren't too eager to fix this and when I raised this with the Red Hat openssh package maintainer, he wasn't eagar either since he felt that if the openssh group wasn't going to do, he shouldn't either. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
users ssh access
Can I set an upper level directory, /home/user, for example for each user? I have been able to do this with ftp, but can I do it with ssh? Steve Howard -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
