[PLUG] setting up SSH to chrrot to user homeDir
Josh Orchard
josh at emediatedesigns.com
Fri Jul 21 23:17:52 UTC 2006
Tim,
Reading backwards on post this sounds like the only option there is.
Too bad. I would have liked an easier way to accomplish this. I like
SSH but do to it's nature of sharing the entire computer file system I
have elected to not allow it. Now I need to and I'm trying to judge
rather to just allow and trust all SSH users or find a more secure way
of giving them access but locking their ability.
When you mentioned that you did a Chattr on the files I'm unfamiliar
with this. I see it is like chmod but I think not the same. I see by
putting a +i with chattr on a file that prevents a user from modifying
the files. Hmm, okay the more I write the more I understand. Perhaps I
could do this without too much more.
How do I get the other shells to re-route back to rbash?
Thanks,
Josh
Tim Slighter wrote:
> The rbash idea is a good one but there are still many more steps to
> take to
> make sure the user stays within that shell and within the confines of
> their
> home directory. You have to create a directory somewhere like /usr/progs
> and put the binaries and only the binaries that you want the user to have
> access to and then declare that directory and the users only path in
> their
> .bash_profile or .bashrc or both. Better off if any programs with
> potential
> shell escapes like pine, vi, emacs etc, are all replaced with a
> restricted
> version of the binary such as rvi or rvim, etc. You will also need to
> declare restrictive aliases for each user to prevent them access to any
> other shells so declare an alias for ksh to /bin/rbash and csh ->
> /bin/rbash, so what you are doing here is making sure that any shell they
> attempt to get to will always put them back into and keep them in rbash.
> Make sure also that you prevent them from using the unalias command by
> declaring that to /bin/rbash as well and then you must prevent the
> user from
> modifying the file so do a chattr +i on the .bashrc or .bash_profile
> files
> in their home directories. I did manage to do this but it was a pain and
> quite a bit of work and a lot of trial and error. Feel free to ask
> questions if you need help with this.
>
> On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
>>
>> On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
>> > Hello all,
>> >
>> > Been looking about the wonderful web and reading about how I could
>> > achieve this but all that I've found makes it sound like I need to
>> setup
>> > yet another customer product of sorts. So...
>> >
>> > Is there a way that I can configure SSHD to allow clients to login but
>> > be chrooted to their home directory?
>> >
>> > FTP does this well and I would like to have it do the same for SSHD.
>> > I'm actually surprised this isn't a configuration option on OpenSSH as
>> > it would make sense that you would want to allow certain shell access
>> > but not allow all people to go about browsing your entire server.
>> >
>> > So, is this possible? Do I need some sort of custom SSH or is there
>> > another program I can use to give secure Shell access?
>> >
>>
>> What about setting the users shell to rbash or bash -r.
>>
>> >From the bash man page:
>> RESTRICTED SHELL
>> If bash is started with the name rbash, or the -r option is
>> supplied at
>> invocation, the shell becomes restricted. A restricted
>> shell is
>> used
>> to set up an environment more controlled than the
>> standard shell. It
>> behaves identically to bash with the exception that the
>> following
>> are
>> disallowed or not performed:
>>
>> changing directories with cd
>> setting or unsetting the values of SHELL, PATH, ENV, or
>> BASH_ENV
>> specifying command names containing /
>> specifying a file name containing a / as an argument to
>> the .
>> builtin command
>> Specifying a filename containing a slash as an
>> argument to the
>> -p option to the hash builtin command
>> importing function definitions from the shell
>> environment
>> at
>> startup
>> parsing the value of SHELLOPTS
>> from the shell environment at
>> startup
>> redirecting output using the >, >|, <>, >&, &>, and >>
>> redirec-
>> tion operators
>> using the exec builtin command to replace the shell with
>> another
>> command
>> adding or deleting builtin commands with the -f and -d
>> options
>> to the enable builtin command
>> Using
>> the enable builtin command to enable disabled shell
>> builtins
>> specifying the -p option to the command builtin command
>> turning off restricted mode with set +r or set +o
>> restricted.
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list