[gentoo-user] creating ssh account without directory browsing

[gentoo-user] creating ssh account without directory browsing

[Tamer Higazi]

 Hi people!
For a project I need to create ssh accounts (based on shared keys) who
would be loged in a specific directory. They should only be able to
login in the desired directory, but not be able for outside browsing.


for example:

/work/

but not / or any other scope.

How would you guys accomplish that?!

Re: [gentoo-user] creating ssh account without directory browsing

[Alex Schuster]

Tamer Higazi writes:

> For a project I need to create ssh accounts (based on shared keys) who
> would be loged in a specific directory. They should only be able to
> login in the desired directory, but not be able for outside browsing.

If you need this only for things like scp, net-misc/scponly might do what 
you want.
http://sublimation.org/scponly/wiki/index.php/Main_Page

	Wonko

Re: [gentoo-user] creating ssh account without directory browsing

[Giampiero Gabbiani]

In data domenica 22 agosto 2010 10:36:36, Tamer Higazi ha scritto:
: >  Hi people!
> For a project I need to create ssh accounts (based on shared keys) who
> would be loged in a specific directory. They should only be able to
> login in the desired directory, but not be able for outside browsing.
> 
> 
> for example:
> 
> /work/
> 
> but not / or any other scope.
> 
> How would you guys accomplish that?!
Hi Tamer,
simply set the default shell of the desired account to: /bin/bash -r.
In this mode the bash will start in restricted mode. You can get further 
information about that in the man page of bash (section: RESTRICTED SHELL).

Bye
Giampiero

Re: [gentoo-user] creating ssh account without directory browsing

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1080 bytes --]

On Sunday 22 August 2010 13:31:20 Giampiero Gabbiani wrote:
> In data domenica 22 agosto 2010 10:36:36, Tamer Higazi ha scritto:
> : >  Hi people!
> > 
> > For a project I need to create ssh accounts (based on shared keys) who
> > would be loged in a specific directory. They should only be able to
> > login in the desired directory, but not be able for outside browsing.
> > 
> > 
> > for example:
> > 
> > /work/
> > 
> > but not / or any other scope.
> > 
> > How would you guys accomplish that?!
> 
> Hi Tamer,
> simply set the default shell of the desired account to: /bin/bash -r.
> In this mode the bash will start in restricted mode. You can get further
> information about that in the man page of bash (section: RESTRICTED SHELL).

If you find that rbash is too restrictive, you can also restrict the access 
rights of said users, so that they can only read/write their /home and the 
/work directories.  Use some sensible umasks to achieve this.  SUID and SGID 
files & binaries may be more difficult to restrict though. 
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] creating ssh account without directory browsing

[Alan McKinnon]

Apparently, though unproven, at 10:36 on Sunday 22 August 2010, Tamer Higazi 
did opine thusly:

>  Hi people!
> For a project I need to create ssh accounts (based on shared keys) who
> would be loged in a specific directory. They should only be able to
> login in the desired directory, but not be able for outside browsing.
> 
> 
> for example:
> 
> /work/
> 
> but not / or any other scope.
> 
> How would you guys accomplish that?!


Make that user's shell rbash.

In rbash the user cannot cd. There's a bunch of other stuff they also cannot 
do. Check man bash near the end to make sure it satisfies your needs.

-- 
alan dot mckinnon at gmail dot com

[gentoo-user] Re: creating ssh account without directory browsing

[Kalkin Sam]

Hi,

Young padawan Tamer Higazi <th982a@googlemail.com> spoke:
>  Hi people!
> For a project I need to create ssh accounts (based on shared keys) who
> would be loged in a specific directory. They should only be able to
> login in the desired directory, but not be able for outside browsing.

I think you mean chroot. OpenSSH supports this, have a look at it.

kalkin-

-- 
Paranoid sein heisst frei sein
                   (Hal Faber)

Re: [gentoo-user] Re: creating ssh account without directory browsing

[Tamer Higazi]

Hi Kalkin!
I have set up everything fine with SSH, and I am still not capable to
make the "chroot" option available with bluebream. Could you help me?!

My sshd_config:

http://pastebin.com/LHTUd1ah


Everytime I uncomment: "ChrootDirectory /work" and I try to connect, I
receive this message on the console:

Write failed: Broken pipe


Any ideas?!


On 22.08.2010 20:40, Kalkin Sam wrote:
> Hi,
> 
> Young padawan Tamer Higazi <th982a@googlemail.com> spoke:
>>  Hi people!
>> For a project I need to create ssh accounts (based on shared keys) who
>> would be loged in a specific directory. They should only be able to
>> login in the desired directory, but not be able for outside browsing.
> 
> I think you mean chroot. OpenSSH supports this, have a look at it.
> 
> kalkin-
> 

[gentoo-user] Re: creating ssh account without directory browsing

[Kalkin Sam]

Hi,

Young padawan Tamer Higazi <th982a@googlemail.com> spoke:

> Everytime I uncomment: "ChrootDirectory /work" and I try to connect, I
> receive this message on the console:
>
> Write failed: Broken pipe
>
>
> Any ideas?!

Yes RTFM and Google :)

man sshd_config and look at ChrootDirectory entry:
<cite> All components of the pathname must be root-owned directories
that are not writable by any other user or group.  After the chroot,
sshd(8) changes the working directory to the user's home
directory</cite>

Here an Ubuntu forum which handles the same problem:
http://ubuntuforums.org/showthread.php?t=1482005

kalkin-

-- 
Paranoid sein heisst frei sein
                   (Hal Faber)