secure ssh, how to keep user in his directory

I want to create an accout with FTP and ssh capability.
How can I set it so user can not cd to other directories?
OS: Linux (Red Hat)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nav444Author Commented:
I did some research, and it seems that I should use ssh-dummy-shell in order to do this. My ssh is installed with red hat long time ago. And I do not have a ssh-dummy-shell on bin directory!! What I should do?

Please help,
I really apreciate it.

I see that that command is part of the commercial SSH package; Red Hat (and most Linuxen) use OpenSSH, which does not come with this command.

However, there are other mechanisms you can use, depending on what exactly your goal is.

As your post suggests, if you're just worried about a user "cd"ing out of his homedir, you can give him a restricted shell (rsh/rbash/rksh as examples) and limit his $PATH to a directory with a set of allowed commands so he can't run anything you don't want him to run, and so he can't change directory.

If you wanted him to be more confined, so that there is no way for him to see the rest of the filesystem at all, you'd want to 'chroot' him into his homedir; this can be done with PAM modules (pam_chroot), or, I think there are some special shells floating around that can do this.
man chroot

then use /usr/bin/chroot as login shell in /etc/passwd
Keep in mind that you need to configure your system to work with chroot, see man-page
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.


are you sure that would work?  First of all 'chroot' requires arguments, it doesn't do anything without telling it into what directory you wish to chroot -- so you would need to use it in a script that provides the home directory as the argument.

Secondly, only the superuser can chroot, and the user's login shell is run as that userid, not as root.
Nav444Author Commented:
Please give me little more detail. I tried to setup a chroot, but was not successful!!
I do not know about PAM.

You could try to give the user rbash as shell.

Here is the extremely complicated invocation of rbash: "/bin/bash --restricted"

Ok, it's not the most secure thing in the world, but for a simple application it should do.
What's your purpose ?
It's an unix box, so if you want the users to run even basic commands with their shell accounts they need binaries like ls, cp, etc. with their shared librairies, they need some files in /dev, ...

So they need to access these files, and whether they can cd into these public directories or not is not the problem.

If you want to prevent them from accessing some other parts of the filesystem they don't need, configure the permissions accordingly.

This is for a shell account with ssh as you asked, for ftp only it makes sense to restrict the users to their home directory and how to do this depends upon which ftp server you're using.

If you're really willing to restrict the users with a shell account in their directories you need chroot jails, with all the stuff they could need installed there, which will a pain to maintain, as you'll have to add the least binary when someone asks.

Unless maybe for shell accounts with a very specific and predefined purpose with a limited set of commands available ? Like ls/cp/rm/mv/editor ?

I don't know rbash, but I don't see limiting the commands which can be run from a shell can as a serious security system.

If rbash is not enough and you need to build real jails, you can have a look at makejail at which makes it easier (I'm the author) basically it automatizes most of the process described in chrooting howtos.

> Please give me little more detail. I tried to setup a
> chroot, but was not successful!!
> I do not know about PAM.

The user should land in the chroot once he's logged in, which means something a bit complex with something like a root suid binary /bin/shell_user1 (defined as the shell for user1 in /etc/passwd), compiled from a short C program which executes the chroot commands and changes its uid/gid from root to user1.
So the problem is not with PAM because the chroot trick occurs once the user is logged in (unless each user has its sshd and ftpd daemons in his own chroot !)

But wonder why you'd really need such a thing first.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.