View Single Post
  #6   (View Single Post)  
Old 31st August 2009
nacredata nacredata is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Default

I can relate my experience with one scenerio where limiting access for some users is needed. I use the newish SSH capability to invoke an internal-sftp server in combination with MatchUser directive in sshd_config, forcing the user to use this sftp instance in a chroot. I use this for allowing people access to the web root when we are working together on a web project, but they don't need access outside of the web root or full shell access.

Code:
AllowUser ______
Subsystem sftp internal-sftp

Match User ______
    ForceCommand internal-sftp
    ChrootDirectory /var/www

# copied note from forum on how to make sure this works:
# This is quite simple really, it’s stat()ing the directory specified for 
# “ChrootDirectory” and all its parents up to / and checking that they are:
# 
#     * owned by root
#     * not group or other writable
Reply With Quote