[PLUG] setting up SSH to chrrot to user homeDir

Chris Dawson xrdawson at gmail.com
Fri Jul 21 18:02:30 UTC 2006 

This worked for me using rbash:

Create an account where login shell is rbash.  Create a .bashrc like
this in the user's home directory:

PATH=/opt/wiab/binary_data/upload/bin
PS1='Master Upload #

I symlinked only the applications I wanted into
/opt/wiab/binary_data/upload/bin.  You can only run those applications
when you are logged in.

Chris

On 7/21/06, Tim Slighter <tcslighter at gmail.com> wrote:
> The rbash idea is a good one but there are still many more steps to take to
> make sure the user stays within that shell and within the confines of their
> home directory.  You have to create a directory somewhere like /usr/progs
> and put the binaries and only the binaries that you want the user to have
> access to and then declare that directory and the users only path in their
> .bash_profile or .bashrc or both.  Better off if any programs with potential
> shell escapes like pine, vi, emacs etc, are all replaced with a restricted
> version of the binary such as rvi or rvim, etc.  You will also need to
> declare restrictive aliases for each user to prevent them access to any
> other shells so declare an alias for ksh to /bin/rbash and csh ->
> /bin/rbash, so what you are doing here is making sure that any shell they
> attempt to get to will always put them back into and keep them in rbash.
>  Make sure also that you prevent them from using the unalias command by
> declaring that to /bin/rbash as well and then you must prevent the user from
> modifying the file so do a chattr +i on the .bashrc or .bash_profile files
> in their home directories.  I did manage to do this but it was a pain and
> quite a bit of work and a lot of trial and error.  Feel free to ask
> questions if you need help with this.
>
> On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
> >
> > On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> > > Hello all,
> > >
> > > Been looking about the wonderful web and reading about how I could
> > > achieve this but all that I've found makes it sound like I need to setup
> > > yet another customer product of sorts.  So...
> > >
> > > Is there a way that I can configure SSHD to allow clients to login but
> > > be chrooted to their home directory?
> > >
> > > FTP does this well and I would like to have it do the same for SSHD.
> > > I'm actually surprised this isn't a configuration option on OpenSSH as
> > > it would make sense that you would want to allow certain shell access
> > > but not allow all people to go about browsing your entire server.
> > >
> > > So, is this possible?  Do I need some sort of custom SSH or is there
> > > another program I can use to give secure Shell access?
> > >
> >
> > What about setting the users shell to rbash or bash -r.
> >
> > >From the bash man page:
> > RESTRICTED SHELL
> >        If bash is started with the name rbash, or the -r option is
> > supplied at
> >        invocation,  the  shell becomes restricted.  A restricted shell is
> > used
> >        to set up an environment more controlled than the
> > standard  shell.   It
> >        behaves  identically  to bash with the exception that the following
> > are
> >        disallowed or not performed:
> >
> >              changing directories with cd
> >              setting or unsetting the values of SHELL, PATH, ENV, or
> > BASH_ENV
> >              specifying command names containing /
> >              specifying  a  file  name containing a / as an argument to
> > the .
> >                 builtin command
> >              Specifying a filename containing a slash as an
> > argument  to  the
> >                 -p option to the hash builtin command
> >              importing  function  definitions  from  the shell environment
> > at
> >                 startup
> >              parsing the value of SHELLOPTS
> > from  the  shell  environment  at
> >                 startup
> >              redirecting  output using the >, >|, <>, >&, &>, and >>
> > redirec-
> >                 tion operators
> >              using the exec builtin command to replace the shell with
> > another
> >                 command
> >              adding  or  deleting builtin commands with the -f and -d
> > options
> >                 to the enable builtin command
> >              Using
> > the  enable  builtin  command  to  enable  disabled  shell
> >                 builtins
> >              specifying the -p option to the command builtin command
> >              turning off restricted mode with set +r or set +o restricted.
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list