[opensuse] sftp, howto chroot users to their home directories
Hello, I set up secure ftp by editing sshd_config and tried using 'sftp' to log in, but found that I am not locked into my home dir. How can I chroot users into their home dir's sftp or an sftp client? On another note, is there an sftp server that folks recommend? Thank you, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Aug 28, 2008 at 1:14 PM, James D. Parra <Jamesp@musicreports.com> wrote:
Hello,
I set up secure ftp by editing sshd_config and tried using 'sftp' to log in, but found that I am not locked into my home dir. How can I chroot users into their home dir's sftp or an sftp client? On another note, is there an sftp server that folks recommend?
Thank you,
Sftp is an ssh connection. Once they have ssh connection they can access anything that they could access if they were signed in locally. They can download anything they can see. So you have to manage it with permissions. However, it sounds to me like you are up the wrong tree barking. If you want FTP use FTP. You actually have more control with a typical ftp server. If you wouldn't trust them to ssh into your server you shouldn't allow them to sftp into the server. -- ----------JSA--------- Someone stole my tag line, so now I have this rental. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
----- Original Message ----- From: "John Andersen" <jsamyth@gmail.com> Cc: "Suse (E-mail)" <opensuse@opensuse.org> Sent: Thursday, August 28, 2008 7:47 PM Subject: Re: [opensuse] sftp, howto chroot users to their home directories
On Thu, Aug 28, 2008 at 1:14 PM, James D. Parra <Jamesp@musicreports.com> wrote:
Hello,
I set up secure ftp by editing sshd_config and tried using 'sftp' to log in, but found that I am not locked into my home dir. How can I chroot users into their home dir's sftp or an sftp client? On another note, is there an sftp server that folks recommend?
Thank you,
Sftp is an ssh connection. Once they have ssh connection they can access anything that they could access if they were signed in locally.
They can download anything they can see. So you have to manage it with permissions.
However, it sounds to me like you are up the wrong tree barking.
If you want FTP use FTP. You actually have more control with a typical ftp server. If you wouldn't trust them to ssh into your server you shouldn't allow them to sftp into the server.
What? Of course you can chroot an sftp user and of course you can make a user that can only sftp and nothing else, not even get a login via ssh. I've been doing so for years, and on several OS's let alone linux. It's merely easier with ftp since there are point and drool options right in yast. I've been doing this: http://chrootssh.sourceforge.net/docs/chrootedsftp.html for years and years, on sco open server, linux, freebsd, solaris But today you don't even have to do that. Just get the latest openssh from source (which means probably updated versions of several libraries it depends on too) and use the new built-in ChrootDirectory feature. I think there needs to be a new acronym RTFGR (... google results) A reasonable question for here would have been does anyone know of a pre-built opensuse rpm of openssh that's new enough to include the new feature, or does anyone have a simplified, opensuse specific recipe for updating openssh to the latest source version. Google again tells you in far less time nd with far more authority than waiting for responses from a mail list, that opensuse 11.0 uses openssh5.0 already, and so, no hackery required. Not only don't you need source, you don't even need to use a factory or build-service repo, just plain old stock opensuse 11.0 Then if the regular docs are't simple enough, this dude made a not exactly great, but, simple and working recipe to follow here. Install opensuse 11.0 or at least the openssh from opensuse 11.0, then go here and skip to step 7. http://adamsworld.name/chrootjail5.php Then run "rcsshd restart" before trying to test. I just did it on a stock opensuse 11.0 box in about 3 minutes and before this moment I wasn't even aware that the feature had been built in to openssh (finally!) nor that any version of opensuse had the new enough verion already, nor even if any opensuse rpm existed anywhere let alone in the stock repo. Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi! Am Freitag 29 August 2008 schrieb John Andersen:
On Thu, Aug 28, 2008 at 1:14 PM, James D. Parra <Jamesp@musicreports.com> wrote:
I set up secure ftp by editing sshd_config and tried using 'sftp' to log in, but found that I am not locked into my home dir. How can I chroot users into their home dir's sftp or an sftp client? On another note, is there an sftp server that folks recommend?
If you want FTP use FTP. You actually have more control with a typical ftp server. If you wouldn't trust them to ssh into your server you shouldn't allow them to sftp into the server.
vsftpd always worked fine for me and is part of openSUSE. -- Matthias Bach www.marix.org „Der einzige Weg, die Grenzen des Möglichen zu finden, ist ein klein wenig über diese hinaus in das Unmögliche vorzustoßen.“ - Arthur C. Clarke
participants (4)
-
Brian K. White -
James D. Parra -
John Andersen -
Matthias Bach