secure ssh, how to keep user in his directory

Posted on 2003-03-06
Medium Priority
Last Modified: 2010-04-22
I want to create an accout with FTP and ssh capability.
How can I set it so user can not cd to other directories?
OS: Linux (Red Hat)
Question by:Nav444
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 8085130
I did some research, and it seems that I should use ssh-dummy-shell in order to do this. My ssh is installed with red hat long time ago. And I do not have a ssh-dummy-shell on bin directory!! What I should do?

Please help,
I really apreciate it.


Expert Comment

ID: 8086459
I see that that command is part of the commercial SSH package; Red Hat (and most Linuxen) use OpenSSH, which does not come with this command.

However, there are other mechanisms you can use, depending on what exactly your goal is.

As your post suggests, if you're just worried about a user "cd"ing out of his homedir, you can give him a restricted shell (rsh/rbash/rksh as examples) and limit his $PATH to a directory with a set of allowed commands so he can't run anything you don't want him to run, and so he can't change directory.

If you wanted him to be more confined, so that there is no way for him to see the rest of the filesystem at all, you'd want to 'chroot' him into his homedir; this can be done with PAM modules (pam_chroot), or, I think there are some special shells floating around that can do this.
LVL 51

Expert Comment

ID: 8087318
man chroot

then use /usr/bin/chroot as login shell in /etc/passwd
Keep in mind that you need to configure your system to work with chroot, see man-page
Use Filtering Commands to Process Files in Linux

Learn how to manipulate data with the help of various filtering commands such as `cat`, `fmt`, `pr`, and others in Linux.


Expert Comment

ID: 8090676

are you sure that would work?  First of all 'chroot' requires arguments, it doesn't do anything without telling it into what directory you wish to chroot -- so you would need to use it in a script that provides the home directory as the argument.

Secondly, only the superuser can chroot, and the user's login shell is run as that userid, not as root.

Author Comment

ID: 8090770
Please give me little more detail. I tried to setup a chroot, but was not successful!!
I do not know about PAM.


Expert Comment

ID: 8101964
You could try to give the user rbash as shell.

Here is the extremely complicated invocation of rbash: "/bin/bash --restricted"

Ok, it's not the most secure thing in the world, but for a simple application it should do.

Accepted Solution

alain_tesio earned 200 total points
ID: 8111159
What's your purpose ?
It's an unix box, so if you want the users to run even basic commands with their shell accounts they need binaries like ls, cp, etc. with their shared librairies, they need some files in /dev, ...

So they need to access these files, and whether they can cd into these public directories or not is not the problem.

If you want to prevent them from accessing some other parts of the filesystem they don't need, configure the permissions accordingly.

This is for a shell account with ssh as you asked, for ftp only it makes sense to restrict the users to their home directory and how to do this depends upon which ftp server you're using.

If you're really willing to restrict the users with a shell account in their directories you need chroot jails, with all the stuff they could need installed there, which will a pain to maintain, as you'll have to add the least binary when someone asks.

Unless maybe for shell accounts with a very specific and predefined purpose with a limited set of commands available ? Like ls/cp/rm/mv/editor ?

I don't know rbash, but I don't see limiting the commands which can be run from a shell can as a serious security system.

If rbash is not enough and you need to build real jails, you can have a look at makejail at http://www.floc.net/makejail which makes it easier (I'm the author) basically it automatizes most of the process described in chrooting howtos.

> Please give me little more detail. I tried to setup a
> chroot, but was not successful!!
> I do not know about PAM.

The user should land in the chroot once he's logged in, which means something a bit complex with something like a root suid binary /bin/shell_user1 (defined as the shell for user1 in /etc/passwd), compiled from a short C program which executes the chroot commands and changes its uid/gid from root to user1.
So the problem is not with PAM because the chroot trick occurs once the user is logged in (unless each user has its sshd and ftpd daemons in his own chroot !)

But wonder why you'd really need such a thing first.

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month12 days, 6 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question