LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
Reload this Page sftp
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 03-23-2005, 10:02 AM   #1
mazza76
LQ Newbie
 
Registered: Mar 2005
Location: London
Posts: 4

Rep: Reputation: 0
sftp

Hi

Is there a way of hardening sftp as it appears I can navigate to any directory I wish. I have tried to create a chroot sftp session (patching the sftp-server) but it just hangs and there are no obvious error messages.

It seems as though sftp doesn't refer to the underlying directory permissions, unless of course I am doing something stupid.

Any suggestions would be appreciated.
 
Old 03-24-2005, 08:56 AM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
If you don't have the need to provide shell access, rssh and scponly are two quick utilities for setting up a chroot'd environment.
Last edited by stickman; 03-24-2005 at 09:25 AM.
 
Old 03-24-2005, 10:14 AM   #3
mazza76
LQ Newbie
 
Registered: Mar 2005
Location: London
Posts: 4

Original Poster
Rep: Reputation: 0
i've already restricted shell access, but when sftp'ing i can still navigate around the filesystem
 
Old 03-24-2005, 12:02 PM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Just for clarification, which type of sftp are you using: FTP over SSL or SSH-based?
 
Old 03-24-2005, 09:13 PM   #5
NetSnake
LQ Newbie
 
Registered: Sep 2004
Location: China
Distribution: Debian 3.0r2 unstable
Posts: 28

Rep: Reputation: 15
I may have a alternate way to your way:
Make a new shell like this:

#/bin/sh
/usr/sbin/chroot /usr/chroot /bin/bash

Named it as /bin/chrootsh, and make it executable.
Then change his login shell to this new shell which user you want limit his access.
like
cat /etc/passwd
mike:x:129:129::/home/mike:/bin/chrootsh

Ok, don't warry about Mike logined from, local login or ssh login, he will be limited at /usr/chroot directory.

The directory /usr/chroot must have enough binary command, just like other chroot behavior.
 
Old 03-24-2005, 09:22 PM   #6
NetSnake
LQ Newbie
 
Registered: Sep 2004
Location: China
Distribution: Debian 3.0r2 unstable
Posts: 28

Rep: Reputation: 15
I'm sorry I forgot one thing:
the command /usr/sbin/chroot must set SUID.
Maybe dangerous.
 
Old 03-29-2005, 03:34 AM   #7
mazza76
LQ Newbie
 
Registered: Mar 2005
Location: London
Posts: 4

Original Poster
Rep: Reputation: 0
hi guys
stickman - I have been trying to get ssh-based sftp to work.
netsnake - I have been unable to get chroot to work with the sftp-server executable. The chroot environment works well with vsftp though.
 
Old 03-30-2005, 02:18 AM   #8
mazza76
LQ Newbie
 
Registered: Mar 2005
Location: London
Posts: 4

Original Poster
Rep: Reputation: 0
re the sftp directory browsing - i was being dense. i had SUID'ed the sftp-server (while I was trying to sort out chrooting the sftp session) and that caused the issue.

I still haven't been able to create a chrootable sftp-server daemon though.....
 
Old 04-08-2005, 05:13 PM   #9
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
As stickman pointed out -- scponly is what you're looking for.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do I use sftp to upload my web site? (no sftp tar command) johnMG Linux - Networking 6 06-21-2005 09:14 PM
Sftp mitchb Linux - Newbie 4 08-25-2004 06:00 AM
Sftp mr_a_ali Linux - General 1 08-18-2004 01:28 PM
Files truncated by sftp/sftp-server at 65kb gato Linux - Networking 1 12-18-2003 10:29 AM
sftp rafalek *BSD 2 12-11-2003 06:55 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 10:21 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration