chrooting/jailing transfer-only accounts
Sandor W. Sklar
ssklar at stanford.edu
Wed May 22 13:47:59 EST 2002
Folks,
I've been tasked to find a solution that will create
file-transfer-only accounts that are jailed or chrooted to a specific
directory. (Not an uncommon task, I think.)
Using the OpenSSH server and the OpenSSH scp client program, I can
achieve the goal of having a file transfer only account jailed to a
specified directory, by using the "scpjail" script (attached) as a
forced command.
However, if the client is using the SSH.COM's scp2 client program,
the above technique does not work, since the commercial version uses
sftp as the underlying method.
So, the only solution I can see is to use one of the several
chrooting patches that are floating around to the OpenSSH source, and
set the user's shell to sftp-server. If I do this, I make it
impossible to use the OpenSSH scp client ; all connections must be
done using sftp clients. I am also tied to selecting and using one
of these patches, which I admit, I do not have the technical ability
to judge on their merits and potential weaknesses. I am phobic about
using patches that are not part of the baseline code (especially for
security-related software), as it creates one more thing to worry
about.
My question is, does anyone see a solution that I am missing here?
Complaining to SSH.COM is not a solution, as it does not solve my
problem. It is not in my power to force the user community to use
only the OpenSSH implementation.
I've seen many mails on this list lately talking about the pros and
cons of including chroot-ability; the people who seem to feel that it
is unnecessary have said that it is easy enough to implement outside
of OpenSSH. I don't have the ability to do so; among the community
of OpenSSH users, I doubt I'm alone in this.
(As an aside, I'd appreciate it if people would look at the attached
script, and let me know if they can see any obvious holes in it.
I've tried unsuccessfully to break out if it is set up properly, but
others may have more success.)
Thanks, -S-
--
Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS
Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scpjail
Type: application/mac-binhex40
Size: 11846 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020521/cf77c2c8/attachment.bin
More information about the openssh-unix-dev
mailing list