You can chroot SSH by applying a patch to the OpenSSH source and the
rebuilding. You still have to run ldd to identify the needed files and copy
those to the chrooted environment. I don't know of any way around this.
Then what I've done in the past is, once you have the chrooted SSH user, you
add 'exit' to the top of the user's profile, make that and the parent directory
owned by another user (root, sysadmin, whatever) - so that the user can't
overwrite the profile. When that's in place, the user can sftp into the box
but cannot get a shell and they are chrooted into the directory you set up.
It's a pretty quick setup. Even with having to run the ldd and copy the
libraries, it's probably less than an hour.
Here's a good link to a doc explaining the process step by step:
http://www.netadmintools.com/art294.html .
"McDougall, Marshall (FSH)" <MarMcDouga@gov.mb.ca> 12/09/05 6:05 AM >>>
I apologize if this is OT.
I have a developer who needs access to
/u/l/a/htdocs/his_project_documentation. I don't want to give him a
shell account because he only needs to dump some online manuals in this
directory. I also don't want him to be able to navigate the file system.
From what I have seen, If I create a user with no shell account, sftp
will not work. It fails with:
Warning: ssh_packet_wrapper_input: invalid packet received: len
1416128887 closing the offending input channel.
If I create a user with the home drive pointing to
/u/l/a/htdocs/his_project_documentation, all of the dot files get dumped
there and they can still navigate the filesystem.
I have installed rssh from pizzashack.org and have limited them to just
SFTP, but again they can still navigate the filesystem. If I understand
the CHROOT jail process properly, I would need to copy various system
binaries to the chrooted area and I don't want to do that.
So my burning question is: How do I give this user sftp access only to
a very limited area of my system? Any assistance appreciated.
Regards, Marshall
