[PLUG] setting up SSH to chrrot to user homeDir

Larry Brigman larry.brigman at gmail.com
Fri Jul 21 17:09:12 UTC 2006


On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> Hello all,
>
> Been looking about the wonderful web and reading about how I could
> achieve this but all that I've found makes it sound like I need to setup
> yet another customer product of sorts.  So...
>
> Is there a way that I can configure SSHD to allow clients to login but
> be chrooted to their home directory?
>
> FTP does this well and I would like to have it do the same for SSHD.
> I'm actually surprised this isn't a configuration option on OpenSSH as
> it would make sense that you would want to allow certain shell access
> but not allow all people to go about browsing your entire server.
>
> So, is this possible?  Do I need some sort of custom SSH or is there
> another program I can use to give secure Shell access?
>

What about setting the users shell to rbash or bash -r.

>From the bash man page:
RESTRICTED SHELL
       If bash is started with the name rbash, or the -r option is supplied at
       invocation,  the  shell becomes restricted.  A restricted shell is used
       to set up an environment more controlled than the standard  shell.   It
       behaves  identically  to bash with the exception that the following are
       disallowed or not performed:

             changing directories with cd
             setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
             specifying command names containing /
             specifying  a  file  name containing a / as an argument to the .
                builtin command
             Specifying a filename containing a slash as an argument  to  the
                -p option to the hash builtin command
             importing  function  definitions  from  the shell environment at
                startup
             parsing the value of SHELLOPTS from  the  shell  environment  at
                startup
             redirecting  output using the >, >|, <>, >&, &>, and >> redirec-
                tion operators
             using the exec builtin command to replace the shell with another
                command
             adding  or  deleting builtin commands with the -f and -d options
                to the enable builtin command
             Using the  enable  builtin  command  to  enable  disabled  shell
                builtins
             specifying the -p option to the command builtin command
             turning off restricted mode with set +r or set +o restricted.



More information about the PLUG mailing list