LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-29-2003, 08:59 AM   #1
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Rep: Reputation: 15
User account and SSH: I need advices...


Hi guys!

I have to do the following:

- create a new user on my linux box (red hat 8) that has a public IP

- this user must have access with full privileges (creation, editing, deletion of files and directories) ONLY AND ESCLUSIVELY to a directory that I decide (and that is not his home directory); he must NOT view other directories in any way

- moreover each time this user connect from his win machine to my linux machine using SSH (with user name and password) he can access ONLY AND ESCLUSIVELY the directory I assigned to him (I repeat: not his home).

How can I do this?
How can I configure sshd to obtain what I want?

How can I configure sshd to let ONLY some users (NOT root) connect to my machine?

Thanks in advance to anyone who can give me help...

 
Old 10-29-2003, 09:36 AM   #2
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
so this user just needs to dump files?

consider sftp with ssh

when using the utility create user you can create their home directory anywhere
 
Old 10-29-2003, 09:59 AM   #3
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by toovato
so this user just needs to dump files?

consider sftp with ssh

when using the utility create user you can create their home directory anywhere
Yes, that is just what I want to do!

I will do

adduser -d /home/xxx/zzz/username username

but, which options should I specify to let the user access, view, modify or delete only files and subdirectories ONLY in his home directory?

He must have no access to any other directory-files-device on my linux box.

Any suggestion?
Bye
 
Old 10-29-2003, 10:04 AM   #4
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
Please explain your motivation - what do you want him not to see?

The way to make his access as limited as possible is to put his user on his own group. But if all this user needs to do is to ftp then I would suggest some other seperate server software to control his access that doesnt give the user a shell.
 
Old 10-29-2003, 10:18 AM   #5
Zingaro2002
Member
 
Registered: Feb 2002
Location: Italy
Distribution: Fedora Core 1, Red Hat 8, Red Hat 9, Knoppix 3.3 (debian sarge)
Posts: 97

Original Poster
Rep: Reputation: 15
Uhmm...

Maybe there is something that I don't know...

My user will use only sftp.

Is it possible to create a user only for sftp?
How can I make it?

Or should I create a linux user with only the privileges I mentioned above?
 
Old 10-29-2003, 10:35 AM   #6
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
well you can grab a web app that allows uploads and downloads over https and auth_digest or something similiar. My point being if you don't trust this person at all and you have senesitive data on the machine giving this person access to openssh in any regard is probably not a good idea. There are also other ftp servers that are "secure", whereby you can limit all access to a particular directory..
 
Old 10-29-2003, 12:27 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
There's actually a project, I think on Sourceforge, for "sftp-only" accounts. Basically it's the same idea as having a "nologin" shell, accept they must be able to authenticate as the user for SFTP, but you don't want them to be able to SSH into the machine.

I wish I had the link to it off the top of my head, but 2 minutes on Google should dig it up.
 
Old 10-29-2003, 01:09 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,159
Blog Entries: 54

Rep: Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796
From the FAQ: Security references thread:

OpenSSH for chrooted sessions on Linux: http://mail.incredimail.com/howto/openssh/
http://chrootssh.sourceforge.net

OpenSSH, Scponly: http://www.sublimation.org/scponly/
Using scponly for secure file transfers: http://www.sancho2k.net/filemgmt_dat...s/scponly.html
OpenSSH, Rssh: http://pizzashack.org/rssh/
 
Old 10-31-2003, 04:50 AM   #9
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
couldnt he chroot the users home directory so that the user only sees his home and whatever he creates in it?


ok i think that's what UnSpawns links are about but i started typing this so im gonna post it anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
system account or user account??? yenonn Linux - Newbie 6 05-10-2006 07:49 PM
SSH: Can I force RSA auth for all but one account? LeoNot Linux - Security 1 07-10-2005 11:55 AM
restrict ssh logins by ip by user account Beans0063 Linux - Security 4 10-04-2004 01:29 PM
chrooted telnet/ssh account sophie Linux - Software 0 09-03-2003 05:26 PM
limit directory access for ssh account spammity Linux - Security 2 02-02-2003 12:36 PM


All times are GMT -5. The time now is 04:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration