bearclaws75
asked on
How do I create an SSH account which restricts a user to a single directory?
I have several SVN repos on a linux server. I want to provide a client with direct access to the server so they can run SVN updates on their files. However, I do not want them to see or have access to any other directories on the site (i.e. other client's site files).
For instance, I want to create an account which allows user, "siteadmin", to access the "www.adminsite.com" files. When they connect to the server, I want to restrict their access to only this folder: /var/www/html/sites/admins
Is there a way to do this (similar to restricting access on an FTP account)?
For instance, I want to create an account which allows user, "siteadmin", to access the "www.adminsite.com" files. When they connect to the server, I want to restrict their access to only this folder: /var/www/html/sites/admins
Is there a way to do this (similar to restricting access on an FTP account)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the page says that the last two are options. by default 2nd argument assume /bin/chroot-shell and the 3rd assume /home/jail
looking at the script, it seams that it prompts for password
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html
looking at the script, it seams that it prompts for password
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html
Can you explain why you want to do this? Maybe there is a better approach...
there is an ssh patch that can restrict users to their "home directory" so then you could just redefine the users home dir to something other than /home/<user>
ASKER
omarfarid --> i understand that command allows for options. I just don't know what path would be used here: "/path/tochroot-shell/".
arrkerr1024 --> I am doing this because I want to give server access to a 3rd party developer so that he can run "svn updates" on the working copy of his site. However, I do not want to give him root access or allow him to browse around the server (which contains files for other client sites). I want to restrict his access so that when he logs in, he will be isolated to this directory (/var/www/html/sites/admin
Rance_Hall --> can you explain what you mean by "SSH patch"?
Thanks for all of your help.
arrkerr1024 --> I am doing this because I want to give server access to a 3rd party developer so that he can run "svn updates" on the working copy of his site. However, I do not want to give him root access or allow him to browse around the server (which contains files for other client sites). I want to restrict his access so that when he logs in, he will be isolated to this directory (/var/www/html/sites/admin
Rance_Hall --> can you explain what you mean by "SSH patch"?
Thanks for all of your help.
when you compile software from source, you can edit the source before you compile/install it so that it does more what you want to, instead of what the original author wrote.
Some of these "changes" become very popular and other people want to do the same thing, so a "patch" is created that has all the needed changes to add the new feature.
download the source, patch the source with the patch file, and when you compile/install you get the new feature.
Now if you arent comfortable with this idea, you have a couple of options the script referenced here does work, but its overkill if you can get the patch to work.
the other idea is that you can contact the maintainer of the sshd package for your distro, and ask if the "sshd chroot" patch is already applied, or if it can be.
Some of these "changes" become very popular and other people want to do the same thing, so a "patch" is created that has all the needed changes to add the new feature.
download the source, patch the source with the patch file, and when you compile/install you get the new feature.
Now if you arent comfortable with this idea, you have a couple of options the script referenced here does work, but its overkill if you can get the patch to work.
the other idea is that you can contact the maintainer of the sshd package for your distro, and ask if the "sshd chroot" patch is already applied, or if it can be.
you don't have to specify if you do not know the actual path
ASKER
--------------------------
To create a new chrooted account:
# make_chroot_jail.sh <Username> /path/to/chroot-shell /path/to/jail
--------------------------
I'm not sure what to use as the "/path/tochroot-shell/". What is the "chroot-shell"?
Also, the script creates the <username> but it does not seem to create a password for this user. Does that need to be set later?
Thanks!