Secure File Transfer & Jailed user accounts

Bryan.ONeal at asu.edu Bryan.ONeal at asu.edu
Fri Aug 26 18:02:01 MST 2005


I am using ssh & sftp now, and FileZilla is handling sftp quite well
(http://sourceforge.net/projects/filezilla/) however, the users can just keep
going up the chain, I want to ensure that a user can never go beyond their home
directory.  Hence the chroot jail approach.  Is there another way to restrict
sftp access to a home directory?

In addition, is their a way I can allow sftp access, but not shell access (as
all but about three of the remote users will ever need shell access)



Quoting "der.hans" <PLUGd at LuftHans.com>:

> Am 26. Aug, 2005 schwätzte Bryan.ONeal at asu.edu so:
> 
> > Ok at this point I am willing to do anything, including wiping out my
> OS and
> > starting from scratch.
> >
> > I need a way for users to access my box in a secure manor and upload /
> download
> > files.  But I also need to ensure that those users can never navigate
> above
> > their home directory (I will have several users set to the same
> home)
> >
> > I can not get chroot to work for the life of me!
> 
> It's a good idea, but it's not necessary.
> 
> I'd suggest looking into a restricted shell. For instance, there's rbash
> (
> look for it in the bash man page ).
> 
> I'm worried about one part, though.
> 
> ###
>        When a command that is found to be a shell script is executed
> (see
> COM‐
>        MAND EXECUTION above), rbash turns off any restrictions  in 
> the
> shell
>        spawned to execute the script.
> ###
> 
> So you just need to be able to write shell scripts to get around the
> restrictions?
> 
> Hopefull sftp can be configured to do what you're wanting.
> 
> apt-cache search for filezilla returns nothing, so I don't know if
> FileZilla can handle sftp. At least a few GUIs can.
> 
> ciao,
> 
> der.hans
> -- 
> #  https://www.LuftHans.com/    http://www.AZOTO.org/
> #  "Communications without intelligence is noise;
> #  Intelligence without communications is irrelevant."
> #  Gen. Alfred. M. Gray, USMC
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 


More information about the PLUG-discuss mailing list