Hello

I want to restrict few users only to have SFTP access ( Linux Advanced Server 2.4). They should not be able to login thro SSH. I am sure there are lot of ways. doing so. I think even from tcp Wrappers I would be able to restict the users only to SFTP.

My concern is the security issue.
I am not sure if this is the way to do in the Production environment.

I appreciate if you can provide me some better ways to achieve this.


Thanks in advance
Vani

hey

two ways:

1. in your /etc/ssh/ssh_config or sshd_config, you can add a line to "DenyUsers" eg:

DenyUsers bob alex

Or, you could SCP (and only let people use WinSCP or a similar programme). You can download and insall the scponly shell (and then change the entry in /etc/passwd . This means that users do not have a shell which they can type in. They can only use SCP.

Maybe, there is a SFTP shell as well.

Hamish

Hi there,

we have it with SCPONLY Shell up and running.

BUT: compile the scponly shell with --enable-chrooted-binary which results in having a second executable, scpolnyc.

Otherwise your users can browse over the complete system (wherever they have access of course). We stumbled upon this when we accessed our SCP Server from a Windows box with WinSCP.

There is a little program called scpjailer which sets up a complete scponly chrooted environment in conjunction with the scponly shell.

Works great and adds an extra level of security.

Greetings

Wayne

hello

i'm trying to set up chrooting, using scpjailer.

Does the user have to have all of the bin, etc, lib and so on folders in his home folder? I only ask becasue it makes it look cluttered!

Is there a way to put them somewhere else that they can still be accessed?

thanks
hamish

Hi,

yes, he does need to have them. But scpjailer delivers an all in one library, busybox. It´s in fact one executable which implements all necessary libraries.

It looks cluttered but it is necessary. The scp user needs these to navigate through the file system und execute file operations. As you jailed the user in a directory the user does not have access to the system libraries and executables anymore and needs his own below the jailed directory.

That´s why there are the /bin, /etc, /lib etc. directories.

Greetings Wayne

hey

thanks. it will have to do. works well though

hamish

Be warned that the last release (0.3) of scpjailer is out of sync with the busybox/openssh/uclib releases! This could easily be a security hole.

The build script _does_not_ work just by changing the versions in the script, but somebody (I'm trying, but I'm not too good at it) should attempt to fix it, since the upstream author (http://tjw.org/scpjailer/) appears to have abandoned maintainence for the time being.

I've been using RSSH a restricted shell that allows SFTP and SCP. I chroot each of the users that I set up. Here's the link http://www.pizzashack.org/rssh/index.shtml

rssh is fine, but see http://www.pizzashack.org/rssh/future.shtml

"As far as I'm concerned, rssh is done. Period. Barring any bugs found, that is... I will fix reported bugs as time allows. Development of this program is, however, anything but a priority for me right now."

scponly is still in active development.