Lock user into one directory?

Lock user into one directory?

Post by Sebastian Schac » Wed, 23 Apr 2003 06:42:43



Hi everybody.

First of all: I'm pretty new to SSH so please excuse me if my question
is a FAQ - but I didn't find anything that could really help me via
google (maybe I searched with the wrong words?).

I set up an SSH demon and an DNS entry. By now I'm able to ping my own
computer through this DNS entry and I'm even able to establish an ssh
connection from a friend's computer to mine.

Since I'm running a small FTP server for my LAN at home I have several
users created and they all have their own home directory as
upload-folder for FTP.

Now I want to lock some specific users into this home-directoy when they
connect via SSH.
By now every user is able to see everything on my HDD.

I want something like this:





So /some/ /specfic/ users should not be allowed to gain access to
anything higher than their own home-directory.

I think this should somehow be possible :)

Thanks in advance,

Sebastian

--
"I'm starting with the man in the mirror, I'm asking him to change his
ways, And no message could have been any clearer, If you wanna make the
world a better place, Take a look at yourself, and then make a change!"
- Michael Jackson

 
 
 

Lock user into one directory?

Post by Armin Krawinke » Wed, 23 Apr 2003 07:00:34



> Hi everybody.

> First of all: I'm pretty new to SSH so please excuse me if my
> question is a FAQ - but I didn't find anything that could really
> help me via google (maybe I searched with the wrong words?).

> I set up an SSH demon and an DNS entry. By now I'm able to ping my
> own computer through this DNS entry and I'm even able to establish
> an ssh connection from a friend's computer to mine.

> Since I'm running a small FTP server for my LAN at home I have
> several users created and they all have their own home directory as
> upload-folder for FTP.

> Now I want to lock some specific users into this home-directoy when
> they connect via SSH.
> By now every user is able to see everything on my HDD.

> I want something like this:





> So /some/ /specfic/ users should not be allowed to gain access to
> anything higher than their own home-directory.

> I think this should somehow be possible :)

> Thanks in advance,

> Sebastian

i think chroot is what you are searching for

--

life, the universe and everything

 
 
 

Lock user into one directory?

Post by Sebastian Schac » Wed, 23 Apr 2003 19:04:56



Quote:> i think chroot is what you are searching for

Hm... but if I "chroot" a user into his homedirectory, can he still gain
access to other directories if he connects via FTP?

Sebastian

--
"I'm starting with the man in the mirror, I'm asking him to change his
ways, And no message could have been any clearer, If you wanna make the
world a better place, Take a look at yourself, and then make a change!"
- Michael Jackson

 
 
 

Lock user into one directory?

Post by Nico Kadel-Garci » Wed, 23 Apr 2003 20:56:45




>>i think chroot is what you are searching for

> Hm... but if I "chroot" a user into his homedirectory, can he still gain
> access to other directories if he connects via FTP?

> Sebastian

Nope. That's the whole point of a good chroot cage. The "chroot"
directory is now effectively the "/" directory, moo-ha-ha-ha, now
your're trapped, my pretty!

FTP can be configured to act this way as well: Take a look at the
"anonftp" software bundles for RedHat and other Linux systems, which
provide an appropriate chroot cage for FTP use. Setting it up for SSH is
a bit more of an adventure, since the OpenSSH authors have never
integrated in any of the various published chroot patches.

I really wish they would, it's a useful tool.

 
 
 

Lock user into one directory?

Post by Sebastian Schac » Wed, 23 Apr 2003 21:26:08



Quote:> FTP can be configured to act this way as well: Take a look at the
> "anonftp" software bundles for RedHat and other Linux systems, which
> provide an appropriate chroot cage for FTP use.

Right. I'm using ProFTPd here and all users (except me *g*) are trapped
in my ftp-directory

Quote:> Setting it up for SSH is
> a bit more of an adventure, since the OpenSSH authors have never
> integrated in any of the various published chroot patches.

This means, I assume, that I won't find a user-friendly HowTo? :)

Sebastian

--
"I'm starting with the man in the mirror, I'm asking him to change his
ways, And no message could have been any clearer, If you wanna make the
world a better place, Take a look at yourself, and then make a change!"
- Michael Jackson

 
 
 

Lock user into one directory?

Post by Nico Kadel-Garci » Wed, 23 Apr 2003 21:38:42




>>FTP can be configured to act this way as well: Take a look at the
>>"anonftp" software bundles for RedHat and other Linux systems, which
>>provide an appropriate chroot cage for FTP use.

> Right. I'm using ProFTPd here and all users (except me *g*) are trapped
> in my ftp-directory

>>Setting it up for SSH is
>>a bit more of an adventure, since the OpenSSH authors have never
>>integrated in any of the various published chroot patches.

> This means, I assume, that I won't find a user-friendly HowTo? :)

> Sebastian

        http://ulf.zeitform.de/sshchroot/        
        http://www.merl.com/people/nkadel/openssh-chroot.README

My notes need a serious update, we're at 3.6p1 and my old patches are
for 3.1p1.

 
 
 

1. Can I rename a local user and have the user directory change its name, too?

Hi!

I want to rename local user "ws11" to "ws05" and have the user's
directory change from "ws11" to "ws05" as well. I know how to change
the users name, but the directory, which does follow the change
remains named "ws11". If I try to change it to ws05 in explorer,
Windows warns that the dir should/can not be changed.

Help?

Thanks,

Mark

2. C/C++ Test SUites

3. QUESTION: How lock directories.

4. Printing True-Type Samples "On the Fly"

5. Is There A Program To Lock Out Directories

6. Phonetic Fonts: WSUIPA, TSIPA

7. Needed - a program for locking a Directory with a password

8. Get Down on It ...

9. Is There A Program To Lock Out Directories

10. Re Locking out of directories

11. apache lists directory contents?!? Can one deny that?

12. Windows 2000 - Power User access, Active Directory GPO in OU's

13. Restrict SSH users to home directory