Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] SSH and CHROOT alternatives...
  • From: jonathanneto@xxxxxxxxxxx
  • Date: Thu, 22 May 2003 12:54:07 -0300 (BRT)
  • Message-id: <57289.10.0.1.3.1053618847.squirrel@xxxxxxxxxxxxxxxx>
Hi,

I never did what you mean but here is what I have in mind.
The problem with chroot with ssh (if it really can be run this way), seems
to be that the users could not access /bin /usr/bin,etc
so they can not even list files using ls. Of course you can copy this
directories to the chrooted directory.
To access the home you could use a workaround
mounting the homes with nfs and using iptables to allow only localhost to
use nfs at all.

I think the easiest way is to get another machine just for ssh, and mount
the home using nfs as soon as user logs in.
You can also replace nfs for another network file system like samba.

You can also forget about chroot and treat with the filesystem
permission, puttin 700 mode on the directories you dont want users to
access. Eg. you can let users access /usr, but not /var.
In this case care must be taken on directories like /etc.

Hope it helps

Regards
Jonathan

> Howdoo all,
>
> I've been looking at trying to secure SSH sessions so that specified
users
> can
> only browse their home diretories.
>
> I've found a couple of bodges that can be made to do the trick, but none of
> them seem particulalry ideal.
>
> Has anyone got any suggestions on how I could secure SSH in this
fashion,
> whether using CHROOT or something else entirely I don't mind.
>
> Cheers.
>
>
>
> ----~~~~==oOo==~~~~----
> Duncan Carter
> ----~~~~==oOo==~~~~----
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>




< Previous Next >