How to enable 2 ssh server : one for /home and one for /home/theuser only?
Hello,
I would be interested to establish on a Debian stable box : a ssh server : one for /home and one for /home/theuser only? I would like that with the ssh process/daemon can detect the name of the login and say: - login: user1 to userX you may get full /home/... access (with regular permissions) - login theuser : this user can see nothing. Just his personal /home/theuser content and nothing else. So that he can even not see any /usr/bin ... /etc ... well just his own data in his /home/theuser. Is that somehow possible with Linux Debian? I did apt-get install ssh server stuffs and I am awaiting your information to modify the ssh config in the /etc.. . I am looking forward to hearing and information With thanks and best regards |
chroot, not 2 ssh servers
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
|
jailroot
Use a jailroot shell for that given user (a chroot solution as already mentioned).
http://nixbit.com/cat//utilities/jailkit/ Another tutorial is at http://www.cyberciti.biz/tips/howto-...oted-jail.html but it's related to web servers, though it might give a few ideas. Linux Archive |
Quote:
well I just have regular users that can do all mess they want with their user account since trusted and others nope or less. Then my idea was to block all and restrict just to /home/usersrestricted and nothing else. I'll have look teh provided links above T H A N K Y O U !! |
Quote:
is more for apache All those are bit complicated let's go step by step Just installed jailkit after ./configure ; make ; make install Code:
jailkit# cat /etc/shells So let's give it a try with chroot first I found this : http://www.fuschlberger.net/programs...p-chroot-jail/ I dont do when I dont understand ... no bash of the sh file. I follow this: http://olivier.sessink.nl/jailkit/howtos_ssh_only.html first error : Code:
# jk_init -v /home/chrootusers ssh |
|
My errors:
Code:
/etc/init.d/jailkit start Tail error on the box: Code:
by (uid=0) |
Can you do it using Match rules in the sshd config file?
I use it to allow tcp-forwarding to certain users by adding them to a specific group: Code:
Match Group tcp-forward |
Quote:
concerning the test, it was done from being hte firewalling (inside the network internal) ... it didnt work i'll try tonight |
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
|
Quote:
Code:
chmod uog+rx -R /home/chrootusers/ the /home/chrootusers/home/users has right permissions what can it be ? |
Code:
/* test procmail in the jail, it is not allowed to be setuid() or setgid() |
Quote:
|
waooow the ssh worked,
now I am trying now to get hte sftp server working with lke it says for debian : syslog.conf step how to do ?? http://olivier.sessink.nl/jailkit/ho..._scp_only.html I dont get what he means I get this error message now ... ) Code:
tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh |
When I log to the ssh via gftp SSH2 (sftp) it says this erro r:
Code:
There was an error initializing a SSH connection with the remote server. The error message from the remote server follows: |
All times are GMT -5. The time now is 10:26 PM. |