|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
ssh restrictions
Forgive my ignorance and I sure tucked away this will be mentioned already.
I have done a few searches but it's knowing what to search for in these situations with regards to terminology. I have sewn up the ftp by restricting users to only allow access to home folders. Is there a way to so the same with ssh accounts? It seems a standard test user can traverse the directories. Granted they cannot commit any nasty commands but it would be great to limit them to their designated areas? Regards Pico |
|
|||
I had a look into sshd_config and couldn't see any mechanism for confining the user to a specified folder or area.
Maybe openbsd does not have any way of doing this? It may be of the opinion that users should be allowed to look around directory structures and the admin must implement the necessary precautions to stop any tinkering by users? It would be great to stop users seeing the contents of system folders etc. This may give an intruder a slightly harder time of breaking out of the account? May knowledge is vary little on this subject but I'm surprised a facility does not exist. regards Pico |
|
|||
Thanks jggimi
Which file should this information be added to. Regards Pico |
|
||||
These are server side configuration settings. They were added to /etc/ssh/sshd_config on the server I gave carpetsmoker access to.
Note that these were for sftp connectivity only. No shell access. For shell access, you would have to set up a complete chroot(8) environment, as discussed in the sshd_config(5) man page under ChrootDirectory. Let us review each of those configuration statements from above, and what they meant. Code:
Match User carpetsmoker Code:
ChrootDirectory /home/carpetsmoker Code:
AllowTcpForwarding no Code:
ForceCommand internal-sftp |
|
||||
FYI
If you want to give shell access, you have a lot of work to do. Not just the device list per ssh_config(5), below, but also any programs and libraries that will be needed. Much of /bin, /usr/bin, /usr/lib, /usr/local/bin, /usr/local/lib will be needed along with the appropriate shell and the /dev nodes described in the man page: Quote:
|
|
|||
Ok sounds a very intricate affair.
I may give this one some thought but it does sound rather involved. Best Regards Pico |
|
||||
No more than any other chrooted environment.
What you create with chroot(8) is a virtual filesystem structure -- it is not a virtual machine, but close enough to one from a filesystem perspective. Absolutely any file needed will need to be within that virtual filesystem. Every executable with shared libraries will need to be analyzed with ldd(1). Or, you can replicate the entire OS less those things you wish to keep private. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Forum update, restrictions on new users | Carpetsmoker | Feedback and Suggestions | 32 | 10th July 2016 08:17 AM |