|
Home > Archive > Red Hat Configuration > January 2004 > chroot users into home directory with sftp
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
chroot users into home directory with sftp
|
|
|
| hello..
how can I chroot users into their home directory,when they log in with sftp?
thank you very much!
cheers dino
| |
| Alexander Dalloz 2004-01-23, 7:27 pm |
| On Sun, 04 Jan 2004 01:08:45 +0100 Dino wrote:
quote:
> hello..
>
> how can I chroot users into their home directory,when they log in with sftp?
>
> thank you very much!
>
> cheers dino
What do you mean exactly with sftp? Do you mean FTP with SSL/TLS encrypted
connection or sftp-server connection which openssh offers?
I suspect last, so have a look at http://www.sublimation.org/scponly/. All
other solutions chrooting a ssh/sftp connection is fairly much work, and
with only normal tools not really safe. You might additional need then
grsecurity compiled into your kernel to deny chroot() break outs.
To chroot SSL/TLS secured FTP server connections a solution depends on the
FTP server you use how you chroot them. That's mostly the easiest.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| Alexander Dalloz wrote:quote:
> On Sun, 04 Jan 2004 01:08:45 +0100 Dino wrote:
>
>
>
>
> What do you mean exactly with sftp? Do you mean FTP with SSL/TLS encrypted
> connection or sftp-server connection which openssh offers?
>
> I suspect last, so have a look at http://www.sublimation.org/scponly/. All
> other solutions chrooting a ssh/sftp connection is fairly much work, and
> with only normal tools not really safe. You might additional need then
> grsecurity compiled into your kernel to deny chroot() break outs.
>
> To chroot SSL/TLS secured FTP server connections a solution depends on the
> FTP server you use how you chroot them. That's mostly the easiest.
>
> Alexander
>
>
Hello...
im using a sftp-server from openssh. i checked out the link
http://www.sublimation.org/scponly/ but there is a message that there
are troubles regarding redhat 9.0. I mean, im beginner in linux, and
compiling my kernel, hmmm...
is there a possible way to secure my ftp daemon (vsftpd)???
thanks in advance, dino
| |
| Alexander Dalloz 2004-01-23, 7:27 pm |
| On Sun, 04 Jan 2004 04:05:04 +0100 Dino wrote:
quote:
> Alexander Dalloz wrote:
> Hello...
>
> im using a sftp-server from openssh. i checked out the link
> http://www.sublimation.org/scponly/ but there is a message that there
> are troubles regarding redhat 9.0. I mean, im beginner in linux, and
> compiling my kernel, hmmm...
> is there a possible way to secure my ftp daemon (vsftpd)???
> thanks in advance, dino
Ok, if you are a beginner i fear you will not succeed in chrooting
sftp/scp use effectively so that noone can break out.
I do not know vsftpd, but with proftpd and pure-ftpd it is easy to set up
chrootet user login over a SSL/TLS connection. You can get proftpd as rpm
from freshrpms.net. But I think you will need to self build it from
src.rpm to enable the tls module by using
rpmbuild -ba --with tls proftpd.src.rpm (the exact name you must find
yourself and download the file)
After that you have an installable proftpd.rpm in
/usr/src/redhat/RPMS/i386. After installation you will find a well
prepared config file in /etc.
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
| Alexander Dalloz 2004-01-23, 7:27 pm |
| On Sun, 04 Jan 2004 04:05:04 +0100 Dino wrote:
[ snip ]
quote:
> Hello...
>
> im using a sftp-server from openssh. i checked out the link
> http://www.sublimation.org/scponly/ but there is a message that there
> are troubles regarding redhat 9.0. I mean, im beginner in linux, and
What troubles do you mean? I just found the note "Some operating systems
(notably redhat 9), use a shell script for the "groups" command." which is
not a real problem as the solution was noted just right there.
quote:
> compiling my kernel, hmmm...
> is there a possible way to secure my ftp daemon (vsftpd)???
> thanks in advance, dino
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| Alexander Dalloz wrote:quote:
> On Sun, 04 Jan 2004 04:05:04 +0100 Dino wrote:
>
> [ snip ]
>
>
>
>
> What troubles do you mean? I just found the note "Some operating systems
> (notably redhat 9), use a shell script for the "groups" command." which is
> not a real problem as the solution was noted just right there.
>
>
>
>
> Alexander
>
>
i saw your signature down on this message, and I think I can talk in
german??? if not I will rewrite the following in english... tell it to
me if im wrong ;o)
ich werde versuchen, dieses tool zu installieren. aber ich weiss nicht
genau was es bewirken wird... wird es mir eine andere shell zur
verfügung stellen? eine shell, mit welcher ich nur auf das home
verzeichnis zugreifen kann? kann ich dann diese shell meinen users
zuordnen? oder wie kann ich dann definieren in welchem verzeichnis diese
user gejailt sind? vielen dank für deine hilfe...
gruss dino
| |
| Alexander Dalloz 2004-01-23, 7:27 pm |
| On Sun, 04 Jan 2004 04:51:58 +0100 Dino wrote:
quote:
> Alexander Dalloz wrote:
>
> i saw your signature down on this message, and I think I can talk in
> german??? if not I will rewrite the following in english... tell it to
> me if im wrong ;o)
>
> ich werde versuchen, dieses tool zu installieren. aber ich weiss nicht
> genau was es bewirken wird... wird es mir eine andere shell zur
> verfügung stellen? eine shell, mit welcher ich nur auf das home
> verzeichnis zugreifen kann? kann ich dann diese shell meinen users
> zuordnen? oder wie kann ich dann definieren in welchem verzeichnis diese
> user gejailt sind? vielen dank für deine hilfe...
>
> gruss dino
Ja, ich spreche deutsch. Allerdings empfinde ich es als unfreundlich, in
einer englischsprachigen Usenet Gruppe nicht englisch zu sprechen, weil
nicht jeder folgen kann.
Yes, I speak german. Though I call it unfriendly to speak german in an
english speaking usenet group as not all can follow the discussion.
"Instead of just a single anon user, scponly supports configuring
potentially many users, each of which could could be set up to provide
access to distinct directory trees. Aside from the installation details
(see INSTALL), each of these users would have their default shell in
/etc/passwd set to "/usr/local/sbin/scponly" (or wherever you choose to
install it). This would mean users with this shell can neither login
interactively or execute commands remotely. They can however, scp files in
and out, governed by the usual unix file permissions."
This is a quote from the scponly website. I do not use this tool by myself
but the describtion sounds clear to me.
A posting on the mailinglist of the program with the subject "RH9 scponly
3.9" from December 2003:
"Just installed 3.9 onto my server. Used the RH9 make jail script and it all
works fine. It has also enabled me to solve the problem I had with having
one chrooted environment for multiple users with different rwx permissions
for each user.
Thanks for that!"
If you have further questions you like to discuss in german feel free to
mail me to my given address.
Regards
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
| |
|
| hello folks...
for all people interested in this topic:
scponly works fine with rh9
cheers dino
Alexander Dalloz wrote:quote:
> On Sun, 04 Jan 2004 04:51:58 +0100 Dino wrote:
>
>
>
>
> Ja, ich spreche deutsch. Allerdings empfinde ich es als unfreundlich, in
> einer englischsprachigen Usenet Gruppe nicht englisch zu sprechen, weil
> nicht jeder folgen kann.
>
> Yes, I speak german. Though I call it unfriendly to speak german in an
> english speaking usenet group as not all can follow the discussion.
>
> "Instead of just a single anon user, scponly supports configuring
> potentially many users, each of which could could be set up to provide
> access to distinct directory trees. Aside from the installation details
> (see INSTALL), each of these users would have their default shell in
> /etc/passwd set to "/usr/local/sbin/scponly" (or wherever you choose to
> install it). This would mean users with this shell can neither login
> interactively or execute commands remotely. They can however, scp files in
> and out, governed by the usual unix file permissions."
>
> This is a quote from the scponly website. I do not use this tool by myself
> but the describtion sounds clear to me.
>
> A posting on the mailinglist of the program with the subject "RH9 scponly
> 3.9" from December 2003:
>
> "Just installed 3.9 onto my server. Used the RH9 make jail script and it all
> works fine. It has also enabled me to solve the problem I had with having
> one chrooted environment for multiple users with different rwx permissions
> for each user.
> Thanks for that!"
>
> If you have further questions you like to discuss in german feel free to
> mail me to my given address.
>
> Regards
>
> Alexander
>
>
|
|
|
|
|