Professional Web Applications Themes

ssh - restricted shell - FreeBSD

Hello, Does anybody know the best technique to accomplish this: We have a server that we use for mostly internal development, and run an SSH server. We have an outsider who we want to allow to ssh into this server and do some work. However, because he is an outsider, we don't want him roaming around our server, moving, looking, doing, or anything outside of his own home directory. How can I restrict him to his own home directory? I thought I ran into instructions once for doing this, but I can't find anything right now. Or was I thinking ...

  1. #1

    Default ssh - restricted shell

    Hello,

    Does anybody know the best technique to accomplish this:

    We have a server that we use for mostly internal development, and run an
    SSH server.

    We have an outsider who we want to allow to ssh into this server and do
    some work.

    However, because he is an outsider, we don't want him roaming around our
    server, moving, looking, doing, or anything outside of his own home
    directory.

    How can I restrict him to his own home directory?

    I thought I ran into instructions once for doing this, but I can't find
    anything right now.

    Or was I thinking of scponly ?

    That might do it, except we do need to set him up to to run some scripts
    within his home directory after he uploads stuff via scp.

    Thanks,
    DW

    Duane Guest

  2. #2

    Default Re: ssh - restricted shell

    On Wed, Mar 30, 2005 at 04:02:39PM -0500, Duane Winner wrote: 

    You could try using 'bash -r' as the shell for this user. The -r option
    puts bash in "restricted" mode. See bash(1).

    Roland
    --
    R.F. Smith /"\ ASCII Ribbon Campaign
    r s m i t h x s 4 a l l . n l \ / No HTML/RTF in e-mail
    http://www.xs4all.nl/~rsmith/ X No Word docs in e-mail
    public key: http://www.keyserver.net / \ Respect for open standards

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQFCSxfuEnfvsMMhpyURAiUaAJ9yLBJa7pWhu/3uK9KiiWvzPIuZiwCeOfsP
    R870erIUcpcjxsjrvgRhP58=
    =yGXg
    -----END PGP SIGNATURE-----

    Roland Guest

  3. #3

    Default Re: ssh - restricted shell

    On Wednesday 30 March 2005 04:02 pm, Duane Winner wrote: 

    DW,

    I thought this was accomplished when initially setting up a user's
    account? I'm under the impression that when a user clients sshd,
    s/he still can't go beyong the boundaries of his/her existing
    account on the server. Of course: if $impression = "delusion"
    then someone _please_ correct me! fi :O

    WizLayer
    wizlayer Guest

  4. #4

    Default Re: ssh - restricted shell

    On Wed, 30 Mar 2005 16:02:39 -0500
    Duane Winner <net> wrote:
     

    i'm a jail-fan, go for a "ssh-only-jail" :)

    albi Guest

  5. #5

    Default Re: ssh - restricted shell

    On March 30, 2005 04:02 pm, Duane Winner wrote: 

    if you only want scp to work, then you can use this as the shell:

    /usr/lib/misc/sftp-server

    worked for me. however, if they need a shell, you'll have to chroot() the
    shell and i don't know how to do that. i've never bothered to learn 'cause
    i've heard that they're easy to break out of anyway.

    --
    the reasonable man adapts himself to the world;
    the unreasonable man persists in trying to adapt the world to himself.
    therefore, all progress depends on the unreasonable man.
    - george bernard shaw
    daniel Guest

  6. #6

    Default Re: ssh - restricted shell

    On March 30, 2005 04:51 pm, daniel wrote: 

    correction. that was for gentoo-linux. for freebsd, you can use:
    /usr/local/libexec/sftp-server
    or
    /usr/libexec/sftp-server
    depending on if you're using openssh from ports or from the base install

    --
    i would not be a capitalist, i would be a man;
    you cannot be both at the same time.
    - eugene debs
    daniel Guest

  7. #7

    Default Re: ssh - restricted shell

    On Wed, 30 Mar 2005, Duane Winner wrote:
     

    Althougth I have never done it, you could search doentation on doin
    jails in FreeBSD.

    I believe Bash has a restricted shell of some sort.

    I also have seen restricted shells in Freshmeat.net (about 2 weeks ago saw
    one updated).

    Based on my very limited knowledge of the topic I would say that
    restricted shell is the easiest, but jail is the safest.

    --
    http://stringsutils.com
    Utility for developers. Compute length, MD5, CRC and more.
    Francisco Guest

  8. #8

    Default Re: ssh - restricted shell

    Couldn't you put everyone else into the same group, except for the
    outsider? Then you could make secret directories -rwx. Directories
    without execute permission cannot be listed.

    Regards,

    Juan

    On Wed, 30 Mar 2005, Duane Winner wrote:
     
    Juan Guest

  9. #9

    Default Re: ssh - restricted shell

    wizlayer on 2005-03-30 16:28:55 -0500:
     

    If you mean 'outside of his home directory', then yes, a user can go
    outside 'his/her existing account on the server'. He can't read,
    modify, or execute files he doesn't have permission for, however.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)

    iD8DBQFCS5exAud/2YgchcQRAsngAKC0rZC5fVh8qJXBBNHPOVLPu4NlogCg1bPr
    OcR6N9QqWR+rONooEby/wJw=
    =WyPo
    -----END PGP SIGNATURE-----

    Alec Guest

Similar Threads

  1. Restricted access
    By Marek Kilimajer in forum PHP Programming
    Replies: 7
    Last Post: July 6th, 06:10 PM
  2. Restricted to Page
    By genieyuan in forum Dreamweaver AppDev
    Replies: 1
    Last Post: April 16th, 02:24 AM
  3. restricted commands
    By beach9z@yahoo.com in forum Linux / Unix Administration
    Replies: 2
    Last Post: February 1st, 07:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139