A regular ftpserver isn't working with my firewall, due to a really stupid router configuration among other problems. And because sftp beats ftp all hollow anyway, I'd like to start work on it. My users would need to be chrooted and relatively unpriviledged, mainly because I have equally geeky friends who aren't above testing my limits...and reinstalling my OS when it doesn't need it is a pain

The list of Things ToDo seems to be this:
1. Install and update OpenSSH (done)
2. Install rssh
3. Install and configure Chrootssh
4. Patching up with GRSecurity isn't a bad idea
5. Create/alter my ftp-only users to use /bin/rssh
6. ???
7. Profit!!

Does anyone see any holes in this plan, or have any tips to add? Constructive criticism is most definitely welcomed, as I admit that network security isn't my strong point, and that makes this fairly dangerous. My distro is Slack 10.2 with 2.4.31.

Thanks!

Hey

is it just SFTP access they need? If so, this is what I recommend:

1. Install SSH and scponly. scponly is a cut down shell which only allows the user access to logging in with an SCP client (like WinSCP). Importantly, scponly also comes with a shell called scponlyc, which allows it to run as a chroot environment.

2. With the most recent version of scponly, the home directory of the user must be owned by root. this is for security reasons, but can be a pain. You need to make a folder inside the user's home folder which is owned by the user. This is the folder which they can use.

3. Download and use scpjailer (http://tjw.org/scpjailer/). This is a really handy binary which will set up all of the correct files inside the user's home folder to make it chrooted. (As it is chrooted, you can probably imagine that some important files (for example, the authentication details, binaries and their libraries) need to be stored in the user's home folder.) Scpjailer will copy across everything you need.

4. Once you have done this, modify each user to make his shell /usr/sbin/scponlyc (this may not be the correct path. you will need to check it).

The result is:
1. User's home folder is (for example) /home/user . This is owned by root:root .
2. There is a folder called /home/user/data which is owned by user:user .
3. Give the user the link to WinSCP. Tell them to log in with their username and password to your server using WinSCP.
4. When they log in, they will not be able to access files outwith their home folder.
5. If you do try to login with putty or with a terminal, they will not have access to a shell.

This is waht I remember doing when I did it. I ahve it all written down at the office, but I'm not there.

Let me know how you get on

H

Thanks for the suggestions! I'm working on it now (had a couple of busy days when I just couldn't sit down and work on this), and am wondering whether scpjailer can do what I need. I don't want to jail users into their home directory - I need to jail them into *a* directory, i.e. /multimedia/ which is where I have all of my mp3s, movies, etc. My current setup allows write permissions only for that top-level directory; all subdirectories are read-only for anyone but me, to help minimize accidents.

Aside from that, I've been trying it out on a test user, just jailing them into what I thought was their own home directory. I can't ssh in, I've tried that and it fails (which is good). I can sftp in, and I think I can transfer files (haven't tried yet). But - I can also get out of that directory, and I don't think that I should be able to do that, so clearly I'm doing something wrong.

This is the setup so far:
Theoretically, I shouldn't have been able to do that 'cd ../' ...should I?
Thanks for your help!