|
|||
Have a look at at scponly http://sublimation.org/scponly/wiki/index.php/Features. Never used it myself though
scp is in the FreeBSD ports (shell category).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I have installed scponly and given it a shot. It's odd. Not really what I'm looking for. It creates all kind of strange directories, like a miniature filesystem, and can't be applied to pre-existing users. I really just want to make them not be able to jump up a directory.
I guess this would be alright if it were possible to chdir the user into some nice clean directory where they didn't have all that excess stuff?My users are simple folk and all that mess will cause me phonecalls I don't want. Last edited by Weaseal; 16th May 2008 at 11:51 PM. Reason: I felt like it |
|
||||
Quote:
The way I currently handle this is I build a FBSD jail specifically for the shell users, and I give them scponly shells. Finally, I "chmod go-rwx" each of their home directories. The worst they can do is navigate around the jail, and they can't access any home directory apart from their own.
__________________
Kill your t.v. |
|
||||
Hmmm.. what the users are supposed to do after login? If all they can is just to take and put the files, I would restrict the shell at all.
You can make a try for /etc/ttys file configuration. You can put the shell script or one program that will be launched after the login. Some time ago I saw the script proposed by one book. This script was made as a menu and meant to run after the login. This menu contained just few apps - no shells. After all, if you have good enough secured the sensitive information by means of groups and permissions, it should be ok for users to walk around. They will find nothing interesting for them. |
|
|||
Hello, I'd suggest the built-in chroot() functionality in openssh-portable-5.0.p1 - I don't think there is better solution.
|
|
|||
I don't know about the internals of scp, but I assume on a connection attempt the usual user shell is executed before any access to files is granted?
However, you might want to consider using bash's restricted option (rbash), which disallows changing directory at all and additionaly adds some other nice possibilities. Another idea would be shells/ibsh: Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Chroot web-browsing | Oko | OpenBSD Security | 1 | 29th December 2008 01:37 PM |
read & modify files out side chroot jail | Dr_Death_UAE | FreeBSD Security | 5 | 6th November 2008 09:20 PM |
apache 2.2.8 , is it on chroot by default? | superslot | OpenBSD Security | 9 | 30th June 2008 11:56 AM |
Can't use bash on chroot'd openssh environment | jploh | FreeBSD General | 2 | 18th June 2008 02:12 AM |
scponly not working with chroot | hamba | FreeBSD Security | 3 | 15th May 2008 05:18 PM |