allowing sftp only users

Stephen Samuel samuel at bcgreen.com
Tue Nov 19 12:02:45 EST 2002 

I only need to modify sftp-server if I want to creat arbitrary  chroot jails.
Once the chroot jail is created, there's no real way to find the sftp-server
binary.  As a result, the chroot call needs to be done by sftp-server.

The 5-line change to sftp-server consists of checking for a -c flag,
doing the chroot and  then doing a chdir("/") call (to close off
any possible chroot escape)

Ben Lindstrom wrote:
> 
> Why do you need to modify sftp-server at all?  Your sftpsh should be able
> to handle it all internally.
> 
> - Ben
> 
> On Mon, 18 Nov 2002, Stephen Samuel wrote:
> 
> 
>>I've attached an email that I wrote a couple of weeks ago -- including
>>my solution to the problem. (an sftp chroot jail). It has two parts: an
>>sftpsh replacement for nologin and a (very spall) patch for sftp
>>
>>While I'm at it. what's the protocol for submitting these changes
>>for inclusion in the base release?
>>
>>PIERROT David wrote:
>>
>>>Good morning,
>>>
>>>I am david pierrot ingeener for it company.
>>>
>>>We nned to install a ssh client and ssh server (linux and win 2000)
>>>
>>>we have have problem , could you tell me please if this thing is possible.
>>>
>>>we want that users on ssh can only use sftp or scp but we do not want thath
>>>they can be use roo command or something elese.
>>>with sshd command it is possible to use telnet by port 22, do you think that
>>>is it possible to forbiden this kind of thing and to have only ftp command.
>>>
>>>many thanks in advance.
>>>
>>>best regards
>>>
>>>
>>>
>>>>DAVID PIERROT
>>>>UNEDIC Ma?trise d'Oeuvre
>>>>*  5, avenue Jean Jaures - BP2 - 69551 FEYZIN Cedex
>>>
>>>msg : dpierrott at unedic.fr
>>>Tel. : 04-72-89-23-62
>>>
>>>
>>>
>>>+----------------------------------------------------------------+
>>>| Ce courrier ainsi que les fichiers joints sont confidentiels.  |
>>>| Si vous avez recu ce courrier par erreur, veuillez en informer |
>>>| l'administrateur du systeme : exp-iris at unedic.fr               |
>>>|                          ---------                             |
>>>| Ce message confirme que le courrier a passe le controle        |
>>>| antivirus du relais de messagerie Internet avec succes.        |
>>>+----------------------------------------------------------------+
>>>
>>>_______________________________________________
>>>openssh-unix-dev at mindrot.org mailing list
>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>--
>>Stephen Samuel +1(604)876-0426                samuel at bcgreen.com
>>		   http://www.bcgreen.com/~samuel/
>>Powerful committed communication, reaching through fear, uncertainty and
>>doubt to touch the jewel within each person and bring it to life.
>>
> 
> 

-- 
Stephen Samuel +1(604)876-0426                samuel at bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

More information about the openssh-unix-dev mailing list