LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-20-2006, 11:49 AM   #1
ctb123
LQ Newbie
 
Registered: Jun 2006
Posts: 4

Rep: Reputation: 0
chroot ssh/sftp on SuSE 9.2 Pro


I have inherited a server at work that is currently running suse 9.2 professional and using sftp as the ftp protocol. Unfortunately it is not configured to chroot the users into their home directories. I have found several tutorials/detailed explanations on how to create one but they all involve moving users into a special directory and a lot of what I would call drastic changes to the system. This is currently a production system and the more minimal the changes are the better. I have noticed that vsftpd supports the ability to chroot a user in their home dir. If I can redirect ssh to use it that would be great. When I try to start the program it gives me the error:
Code:
500 OOPS: vsftpd: not configured for standalone, must be started from inetd
Any help would be great.

Thanks
Zach
 
Old 06-20-2006, 02:27 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,937
Blog Entries: 5

Rep: Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752Reputation: 752
ssh/sftpd and vsftpd are different things. You can use either but you can't have "ssh use vsftpd".

The message you're getting says that vsftpd is started from inetd (or maybe xinetd depending on your distro). This means that it only starts when an external connection is made to it as opposed to running all the time as a daemon. (Inetd/Xinetd is a daemon that looks for when to spawn things like vsftpd.). If your distro uses inetd then look at /etc/inetd.conf for configuration. If xinetd then look at the files in /etc/xinetd.d.

chroot'ing of any sort is designed to minimize the damage a connected user can do by only giving them access to a single directory. You can have chroot point to the existing directory for sftpd purposes so are misreading something if you think otherwise. Since chroot is designed to prevent user A from accessing anything other than user A's files then most tutorials assume you will have a chroot for user A then a different one for user B and another user C etc... but it is not required. This is not a function of sftdp or vsftpd but rather an additional layer of security.
 
Old 06-21-2006, 11:21 AM   #3
ctb123
LQ Newbie
 
Registered: Jun 2006
Posts: 4

Original Poster
Rep: Reputation: 0
How do I have chroot point to the user's existing directory for sftpd purposes?
 
Old 06-27-2006, 08:45 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Have a look here: http://www.linuxquestions.org/questi...753#post298753 ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restrict ssh/sftp with chroot? Chowroc Linux - Networking 4 01-25-2005 10:48 AM
chroot sftp user group bmeckle Linux - Newbie 0 06-02-2004 03:58 PM
sftp + chroot ... almost schwing Linux - Software 1 10-26-2003 08:31 PM
Sftp and chroot axman Linux - Security 4 10-02-2003 04:51 PM
chroot sftp user? cliffyman Linux - Security 8 05-08-2003 09:58 PM


All times are GMT -5. The time now is 11:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration