You are not logged in.
Pages: 1
I'd like to add a user that will have the sole purpose of serving as a way I can come into my Arch box via ssh and grab a document when I need to do so. What is the best way to chroot the user so it can't leave its own home directory, at least when logging in via ssh?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
you can user a restricted shell to lock the user in.
Eg there is rssh, wich you can set to only allow scp and/or sftp access.
Last edited by Mr.Elendig (2009-09-18 20:02:21)
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
ChrootDirectory
Specifies a path to chroot(2) to after authentication. This path, and all its compo‐
nents, must be root-owned directories that are not writable by any other user or
group.The path may contain the following tokens that are expanded at runtime once the con‐
necting user has been authenticated: %% is replaced by a literal '%', %h is replaced
by the home directory of the user being authenticated, and %u is replaced by the user‐
name of that user.The ChrootDirectory must contain the necessary files and directories to support the
users' session. For an interactive session this requires at least a shell, typically
sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no addi‐
tional configuration of the environment is necessary if the in-process sftp server is
used (see Subsystem for details).The default is not to chroot(2).
Offline
Create sftp only access on OpenSSH v5.4:
Add a group for limited users.
groupadd sshlim
Using /home/%u as the chrooted directory doesn't seem to work as expected. Instead, create a universal chrooted directory (jail).
Set permissions so that traversing into subdirectories is allowed but the directory is not viewable itself.
It should already be owned by root. /home/public will become / for jailed users, but they will be not be able to navigate to / and view other's directories.
mkdir /home/public
chmod 611 /home/public
After regular SSH access is setup (as per the Arch Wiki), edit /etc/ssh/sshd_config and make the following changes.
Subsystem sftp internal-sftp
Match Group sshlim
ChrootDirectory /home/public
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Have an existing user or add a user as normal.
A default home directory will be created, but it is not useable and can be deleted later.
Change the user's default group or just add the user to the limited group:
gpasswd -a myuser sshlim
Add the user's jailed home directory and give him exclusive permissions.
mkdir /home/public/mydir
chown myuser /home/public/mydir
chmod 600 /home/public/mydir
Change their home directory (relative to the chrooted directory) and disable their shell (although they wouldn't have access to it anyway).
usermod -d /mydir -s /bin/false myuser
The user now has SFTP only access. If he tries to login to the shell, it will inform him of such.
In the future, you may be able to experiment with no forcecommand and allow limited shell access, but that requires a full environment be set up in the jail. I have not tried yet.
Last edited by tcp (2010-04-04 20:23:22)
Offline
Pages: 1