deny browse access to useres

[iinfi]

i m running RHEL 5 on my company system.

there is a client requirement that when users log into the system through SSH they should not be able to even browse through the directory other than their home directory.

is this possible?
i v referred *www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ but when i create a chroot the user is not able to log in at all!! be it normally on the system itself or thru ssh.

the end goal is to set up an SFTP server so that the client can send files securely to their customers.

set up an FTP server with vsftpd is an option but again I find that the ftp user (not anonymous users, not root user, <anon user login on FTP is disabled>) is able to go up the directories and view the contents of all the root directories. the client does not want this also.

am i clear? any workarnd? thanks

 

[mediator]

Why go through all that trouble of the scripts buddy? You only have to modify some variables!!

1. FTP
U have to customize the ftp server by adding "chroot_local_user=YES" to "/etc/vsftpd/vsftpd.conf".

Look for "chroot_local_user" in the conf. It shud be there. If not, add it. Restart the ftp server and u r done!!

2. Sftp
*www.debian-administration.org/articles/590
I have never tried it. So if u r successful in ur RnD, please acknowledge. It will save my time!!

 

[iinfi]

thanks for your reply.
the requirement was, if i was configuring a FTP server the transfer of files should also be thru a secure channel. Whn i configured SSL for the same the client did not like it as they didnt want to spend money to get a proper certificate frm CA and didnt want pop ups in the browser or FTP client saying the SSL Certificate is not digitally signed by CA.

So i tried for SFTP. config was dont but the issue again is that, all users who login are able to browse thru the root directory as well. though they cannot make any changes the client did not want that also. so the resolution was to create a chroot jail. i tried a few utilities like jailkit and makejail which did create a jail like env but didnt allow any users added in the jail. I also ran this script which also successfully created chrooted users but didnt allow them to log in.
can you plz try to run this script and tell me if it works for you?
thanks again

 

[mediator]

^^ You are taking unnecessary trouble. I understand your question. The best bet is "sftp" & so I tried it. It works 100% as you want. Here's a better version of that tute.


I have modified the tute as it contained a lot of flaws!! Here's the modified one ......

1. Go to the end of this file emacs /etc/ssh/sshd_config and add:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp# Example of overriding settings on a per-user basis
Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
2. Restart ssh: /etc/init.d/ssh restart
3. AS ROOT make a directory say "chroot" that will become root directory for sftp:
mkdir /home/chroot
4. groupadd sftponly
5. Create your user: useradd -d /home/chroot/ test
6. Remove SSH Access: usermod -s /bin/false test
7. Set your user to sftponly group: usermod -g sftponly -G sftponly test

username => test

Another thing you should remember is to get openssh version >= 4.81 before starting the tute.
Next, /home/chroot will become your root directory (/) in sftp mode and will be readable and not writable. Here comes the part which you want.

8. Create a directory in /home/chroot/ say "project1"
9. Own it to "test", chown test.test project1


So with this, different directories can be assigned to different users (read and write) to work on under sftp!! Create another user for another client say "test2" and a directory say "project2" and follow the steps 5,6,7,8,9 again.

5. Create your user: useradd -d /home/chroot/ test2
6. Remove SSH Access: usermod -s /bin/false test2
7. Set your the user to sftponly group: usermod -g sftponly -G sftponly test2
8. Create a directory in /home/chroot/ say "project2" : mkdir /home/chroot/project2
9. Own it to test: chown test2.test2 project2

Thus, clients wont be able to read directories belonging to other projects/clients and they wont be able to browse the system directories tooo!!

 

[iinfi]

thanks a lot
i jus got the rpm for openssh 5.1 but unable to get the dependencies. dont v red hat support so cannot download from their site.

[root@ser Desktop]# rpm -ivh openssh-5.1p1-4.fc11.i386.rpm
 libc.so.6(GLIBC_2.8) is needed by openssh-5.1p1-4.fc11.i386
        libcrypto.so.7 is needed by openssh-5.1p1-4.fc11.i386
[root@ser Desktop]# error: Failed dependencies:
-bash: error:: command not found

even cent os has only 4.3 currently. dependencies are not available.

btw do you know how to configure PAM to enable user level activity logging?

 

[mediator]

U'll need independent rpm search and deploy strategy for dependency problem. Dunno much bt PAM! But if u shud go to any other forum for that, try fedoraforum.org or neowin.net.

 

[iinfi]

okai ... thank you so much

another thing i found was to giv the users a bash -r environment.
this way they cannot move arnd from the home directory, but they cannot create and move into directories inside their own home folder as well.
thanks again .. will dig more into this and let you knw if it works.