chrooting/jailing transfer-only accounts
Ben Lindstrom
mouring at etoh.eviladmin.org
Thu May 23 00:20:14 EST 2002
I'm sorry but I know I don't read binhex.
But assuming you did what has been discussed here before which is wrote
some from of program that detects the -c argument passed to it and accept
or deny the commands. This can work for sftp-server also. Because we
do ${SHELL} -c sftp-server just like one would expect.
- Ben
On Tue, 21 May 2002, Sandor W. Sklar wrote:
> Folks,
>
> I've been tasked to find a solution that will create
> file-transfer-only accounts that are jailed or chrooted to a specific
> directory. (Not an uncommon task, I think.)
>
> Using the OpenSSH server and the OpenSSH scp client program, I can
> achieve the goal of having a file transfer only account jailed to a
> specified directory, by using the "scpjail" script (attached) as a
> forced command.
>
> However, if the client is using the SSH.COM's scp2 client program,
> the above technique does not work, since the commercial version uses
> sftp as the underlying method.
>
> So, the only solution I can see is to use one of the several
> chrooting patches that are floating around to the OpenSSH source, and
> set the user's shell to sftp-server. If I do this, I make it
> impossible to use the OpenSSH scp client ; all connections must be
> done using sftp clients. I am also tied to selecting and using one
> of these patches, which I admit, I do not have the technical ability
> to judge on their merits and potential weaknesses. I am phobic about
> using patches that are not part of the baseline code (especially for
> security-related software), as it creates one more thing to worry
> about.
>
> My question is, does anyone see a solution that I am missing here?
> Complaining to SSH.COM is not a solution, as it does not solve my
> problem. It is not in my power to force the user community to use
> only the OpenSSH implementation.
>
> I've seen many mails on this list lately talking about the pros and
> cons of including chroot-ability; the people who seem to feel that it
> is unnecessary have said that it is easy enough to implement outside
> of OpenSSH. I don't have the ability to do so; among the community
> of OpenSSH users, I doubt I'm alone in this.
>
> (As an aside, I'd appreciate it if people would look at the attached
> script, and let me know if they can see any obvious holes in it.
> I've tried unsuccessfully to break out if it is set up properly, but
> others may have more success.)
>
> Thanks, -S-
>
> --
> Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS
> Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/
More information about the openssh-unix-dev
mailing list