Nav444
asked on
secure ssh, how to keep user in his directory
Hi,
I want to create an accout with FTP and ssh capability.
How can I set it so user can not cd to other directories?
OS: Linux (Red Hat)
Thanks
Nav
I want to create an accout with FTP and ssh capability.
How can I set it so user can not cd to other directories?
OS: Linux (Red Hat)
Thanks
Nav
I see that that command is part of the commercial SSH package; Red Hat (and most Linuxen) use OpenSSH, which does not come with this command.
However, there are other mechanisms you can use, depending on what exactly your goal is.
As your post suggests, if you're just worried about a user "cd"ing out of his homedir, you can give him a restricted shell (rsh/rbash/rksh as examples) and limit his $PATH to a directory with a set of allowed commands so he can't run anything you don't want him to run, and so he can't change directory.
If you wanted him to be more confined, so that there is no way for him to see the rest of the filesystem at all, you'd want to 'chroot' him into his homedir; this can be done with PAM modules (pam_chroot), or, I think there are some special shells floating around that can do this.
However, there are other mechanisms you can use, depending on what exactly your goal is.
As your post suggests, if you're just worried about a user "cd"ing out of his homedir, you can give him a restricted shell (rsh/rbash/rksh as examples) and limit his $PATH to a directory with a set of allowed commands so he can't run anything you don't want him to run, and so he can't change directory.
If you wanted him to be more confined, so that there is no way for him to see the rest of the filesystem at all, you'd want to 'chroot' him into his homedir; this can be done with PAM modules (pam_chroot), or, I think there are some special shells floating around that can do this.
man chroot
then use /usr/bin/chroot as login shell in /etc/passwd
Keep in mind that you need to configure your system to work with chroot, see man-page
then use /usr/bin/chroot as login shell in /etc/passwd
Keep in mind that you need to configure your system to work with chroot, see man-page
ahoffmann,
are you sure that would work? First of all 'chroot' requires arguments, it doesn't do anything without telling it into what directory you wish to chroot -- so you would need to use it in a script that provides the home directory as the argument.
Secondly, only the superuser can chroot, and the user's login shell is run as that userid, not as root.
are you sure that would work? First of all 'chroot' requires arguments, it doesn't do anything without telling it into what directory you wish to chroot -- so you would need to use it in a script that provides the home directory as the argument.
Secondly, only the superuser can chroot, and the user's login shell is run as that userid, not as root.
ASKER
Please give me little more detail. I tried to setup a chroot, but was not successful!!
I do not know about PAM.
Thanks
I do not know about PAM.
Thanks
You could try to give the user rbash as shell.
Here is the extremely complicated invocation of rbash: "/bin/bash --restricted"
Ok, it's not the most secure thing in the world, but for a simple application it should do.
Here is the extremely complicated invocation of rbash: "/bin/bash --restricted"
Ok, it's not the most secure thing in the world, but for a simple application it should do.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please help,
I really apreciate it.
Nav