[PLUG] setting up SSH to chr[o]ot to user homeDir
Auke Kok
sofar at foo-projects.org
Fri Jul 21 14:37:45 UTC 2006
Josh Orchard wrote:
> Hello all,
>
> Been looking about the wonderful web and reading about how I could
> achieve this but all that I've found makes it sound like I need to setup
> yet another customer product of sorts. So...
>
> Is there a way that I can configure SSHD to allow clients to login but
> be chrooted to their home directory?
> FTP does this well and I would like to have it do the same for SSHD.
> I'm actually surprised this isn't a configuration option on OpenSSH as
> it would make sense that you would want to allow certain shell access
> but not allow all people to go about browsing your entire server.
> So, is this possible? Do I need some sort of custom SSH or is there
> another program I can use to give secure Shell access?
TINST
as Kenneth already explained this is very much a nightmare to setup, and FTP
can do it since the user only needs 1 exectuable (ftpd) running on the server
after login, so that executable itself can chroot at startup.
If you really want to permit users to login but not see something outside of
their homedirectories, then you should investigate more secure ways (chroots
can be busted, yes even with grsecurity) such as UML or providing a fully
chrooted install with sshd running already in it.
If you're only looking into offering limited functionality (e.g. sftp-server)
you might also want to see if you can get around it by just allowing the user
to run only one type of connection that way.
Cheers,
Auke
More information about the PLUG
mailing list