> Why can't you simply specify an invalid shell in /etc/passwd, and
> add it to /etc/shells?
I don't recall the answer, but I know I've asked this question before, and
I'm certain that it's in the docs.
BTW, did you look at ssh-dummy-shell? I really do think it does what you
want.
2.4:
Q: How do I set up chrooted accounts (with restricted shell access, and
only file transfer access) with sshd2?
A: First, you should make sure that the static binaries of
ssh-dummy-shell and sftp-server2 got compiled with the rest. The
binaries are named (creatively) ssh-dummy-shell.static and
sftp-server2.static.
Then, run
% ssh-chrootmgr <username> ...
This copies the binaries to the user's bin-directory ($HOME/bin)
(and creates the bin directory, if necessary).
The next step is to add the user to the server's configuration file
(/etc/ssh2/sshd2_config, usually). Use ChRootUsers or ChRootGroups
variable. [Note: As of ssh-2.4 the group doesn't have to be the
primary group, supplementary groups can be used as well.]
After this you should change the user's login shell in /etc/passwd,
with vipw, for example (or whatever you use to manage the
accounts). The new shell should be /bin/ssh-dummy-shell (which, from
the chrooted users perspective, will be the one in $HOME/bin).
After this, restart the daemon, or kill -HUP it.
Note: make sure, that there is a line
subsystem-sftp sftp-server
in sshd2_config. Otherwise the user won't be able to do anything.
NOTE: This doesn't work with Solaris. Solaris doesn't support this
kind of static linking. You have to use the normal binaries and copy
the needed libraries to the user's environment too. Unfortunately we
don't have a tool for that (yet).
--
Blue Lang http://www.gator.net/~blue
2315 McMullan Circle, Raleigh, North Carolina, USA 919 835 1540
