A client wants me to set up a mechanism whereby his customers can drop files securely into directories on his FreeBSD server; he also wants them to be able to retrieve files if needed. The server is already running OpenSSH, and he himself is using Windows clients (TeraTerm and WinSCP) to access it, so the logical thing to do seems to be to have his clients send and receive files via SFTP or SCP. The users depositing files on the server shouldn't be allowed to see what one another are doing or to grope around on the system, so it'd be a good idea to chroot them into home directories, as is commonly done with FTP. However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a specific directory. What is the most effective and elegant way to do this? I've seen some crude patches that allow you to put a /. in the home directory specified in /etc/passwd, but these are specific to versions of the "portable" OpenSSH and none of the diffs seem to match FreeBSD's files exactly. --Brett
Hello, On Mon, Dec 20, 2004 at 02:23:02PM -0700 or thereabouts, Brett Glass wrote:> The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. > > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a > specific directory. What is the most effective and elegant way to do this? I've > seen some crude patches that allow you to put a /. in the home directory specified > in /etc/passwd, but these are specific to versions of the "portable" OpenSSH > and none of the diffs seem to match FreeBSD's files exactly.go for /usr/ports/shells/scponly, it also has ability to use chroot. Cheers, Martin -- martin hudec * 421 907 303 393 * corwin@aeternal.net * http://www.aeternal.net "Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws." Douglas Adams, "The Hitchhiker's Guide to the Galaxy" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041220/4ec844bb/attachment.bin
On 0, Brett Glass <brett@lariat.org> allegedly wrote:> A client wants me to set up a mechanism whereby his customers can drop files > securely into directories on his FreeBSD server; he also wants them to be > able to retrieve files if needed. The server is already running OpenSSH, > and he himself is using Windows clients (TeraTerm and WinSCP) to access it, > so the logical thing to do seems to be to have his clients send and receive > files via SFTP or SCP. > > The users depositing files on the server shouldn't be allowed to see what > one another are doing or to grope around on the system, so it'd be a good > idea to chroot them into home directories, as is commonly done with FTP. > > However, OpenSSH (or at least FreeBSD's version of it) doesn't seem to have a > mechanism that allows users doing SSH, SCP, or SFTP to be chroot-ed into a > specific directory. What is the most effective and elegant way to do this? I've > seen some crude patches that allow you to put a /. in the home directory specified > in /etc/passwd, but these are specific to versions of the "portable" OpenSSH > and none of the diffs seem to match FreeBSD's files exactly. > > --BrettIs there something wrong with using the scponly shell for the users? It is available in ports and at http://www.sublimation.org/scponly/ +-----------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team Stewie: You know, I rather like this God fellow. Very theatrical, you know. Pestilence here, a plague there. Omnipotence ...gotta get me some of that.
Ref. /usr/ports/shells/scponly; scponly does provide a "chroot" mechanism. Peace, david -- David H. Wolfskill david@catwhisker.org I resent spammers because spam is a DoS attack on my time. See http://www.catwhisker.org/~david/publickey.gpg for public key.