Mailing List Archive

J. Bakshi wrote:
> I am running a remote suse server and need to give ssh access to the users who can work on their particular web folder only. The version of ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd features which can allow ssh users
> to restrict them in their home directory. I have found some documentations where chroot or jailkit is used to achieve this and
> these need some more configuration and obviously "chown root:root <home-folder>" . But I need an option which simply restrict ssh users so that they can't browse beyond their home directory. It is also not possible to do "chown root:root <home-folder>" as the folders which are used as home directory are actually web folder under apache htdocs having apache permission. I don't need sftp but ssh access. Is it really impossible to have this feature through ssh technology
It should be entirely possible in openssh. I've done a similar thing
with sftp (but that was sftp specific and not openssh really).

OpenSSH can support chrooting, in which case you simply follow the std
chroot methods. I'm not sure if it's an integrated compile time option
or if it's a 3rd party patch, but it is an integrated compile time
option on Gentoo systems, so worst case scenario if you are working with
another distro, would be to patch the source and compile yourself to get
this to work.

-h

--
Hari Sekhon
Always open to interesting opportunities
http://www.linkedin.com/in/harisekhon

2009/4/21 J. Bakshi <bakshi12@gmail.com>:
> Dear list,
>
> I am running a remote suse server and need to give ssh access to the users who can work on their particular web folder only. The version of ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd features which can allow ssh users
> to restrict them in their home directory. I have found some documentations where chroot or jailkit is used to achieve this and
> these need some more configuration and obviously "chown root:root <home-folder>" . But I need an option which simply restrict ssh users so that they can't browse beyond their home directory. It is also not possible to do "chown root:root <home-folder>" as the folders which are used as home directory are actually web folder under apache htdocs having apache permission.  I don't need sftp but ssh access. Is it really impossible to have this feature through ssh technology ?

hello,

try to use scponly http://www.sublimation.org/scponly/wiki

--
best regards
mutifo

On Wed, 22 Apr 2009 17:15:04 +0100
Hari Sekhon <hpsekhon@googlemail.com> wrote:

> J. Bakshi wrote:
> > I am running a remote suse server and need to give ssh access to
> > the users who can work on their particular web folder only. The
> > version of ssh server is openssh-5.0p1-21.1
> >
> > I have already did huge google search but could not find any sshd
> > features which can allow ssh users to restrict them in their home
> > directory. I have found some documentations where chroot or jailkit
> > is used to achieve this and these need some more configuration and
> > obviously "chown root:root <home-folder>" . But I need an option
> > which simply restrict ssh users so that they can't browse beyond
> > their home directory. It is also not possible to do "chown
> > root:root <home-folder>" as the folders which are used as home
> > directory are actually web folder under apache htdocs having apache
> > permission. I don't need sftp but ssh access. Is it really
> > impossible to have this feature through ssh technology
> It should be entirely possible in openssh. I've done a similar thing
> with sftp (but that was sftp specific and not openssh really).

yes, I have also read it in the openssh doc to support sftp which has been made inbuilt in openssh
Your next information is very much welcome in my case. If openssh supports chrooting there is nothing more nice feature like this but the folder where I like to give ssh access must continue running with apache permisiion and not as root:root

>
> OpenSSH can support chrooting, in which case you simply follow the
> std chroot methods. I'm not sure if it's an integrated compile time
> option or if it's a 3rd party patch, but it is an integrated compile
> time option on Gentoo systems, so worst case scenario if you are
> working with another distro, would be to patch the source and compile
> yourself to get this to work.
>
> -h
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You always have the option of changing their login shell to '/bin/bash -s' which
locks them in. Unfortunately, it also takes away their access to things like,
'ls' and 'cp' and 'vi', etc., unless you include copies in their home folder.

You also need to remember that some apps like 'vim' will allow a user a shell
escape which can break the limits you set. Make sure to give them access only
to the secure version. For 'vim' that would be 'rvim'.

Benny


J. Bakshi wrote:
> Dear list,
>
> I am running a remote suse server and need to give ssh access to the users who can work on their particular web folder only. The version of ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd features which can allow ssh users
> to restrict them in their home directory. I have found some documentations where chroot or jailkit is used to achieve this and
> these need some more configuration and obviously "chown root:root <home-folder>" . But I need an option which simply restrict ssh users so that they can't browse beyond their home directory. It is also not possible to do "chown root:root <home-folder>" as the folders which are used as home directory are actually web folder under apache htdocs having apache permission. I don't need sftp but ssh access. Is it really impossible to have this feature through ssh technology ?
>
> Thanks
>

- --

Benny Helms
Unix SysAdmin
Montana Interactive, LLC
Office: 406-449-3468 Ext 230
Mobile: 406-431-5927
benny@egovmt.com
Registered Linux user #287649 at http://counter.li.org


CONFIDENTIALITY NOTICE:
This email and any attachments are confidential. If you are not the intended
recipient, you do not have permission to disclose, copy, distribute, or open any
attachments. If you have received this email in error, please notify us
immediately by returning it to the sender and delete this copy from your system.

Thank you.
MT.gov / Montana Interactive
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJJ71ICAAoJEI4JEV90z/PryDEP/jI7CXpy6wUKcfrIGtjPnqcE
7zFCBiUvgP9r5qbtV37JYxllb63V6WsjK557iIXY2s2AG/UJH+/1+B5WbDAz3Z3l
0eQ4XNFc9lYgtDIkuRZjfAbB4H0yIgtairyUe57jm1p+ER9LynoD2klobgj+SHjN
gHhXJmDTeEgCaDnGFe4DavL7WrYeyLEKxS0Dbqt58aXPD54OiGRbrZNKlsIDGnZp
QSI7phOT7yQ3laU8MF0S07d4f7qm+2GwBeZjTklycaGg5gVGripQtsLtjwEeqMU8
8vwq56TWVo7pWbnPgEXqfYtGtWfRaisZn/q0I0vheOj2gb7OSKwqRzerklXU9Mi4
/TQVvJy9YG6bZPJzOjMaWPEP+kM75Uq45AqqCRGpLh2sF/eP4jsFHjbHthLWzRY3
fEHqi0mVyTK1D+0++yopb9QGSmSsnoAn+SBFVwLJdhz7e3La3Yw9x9fvEptm/KvI
cQcBSmnrnKzKSSC6oVfXDAOMzoZQedP8STalcm+WepdyNitWOwiUvyh0s/cXDT2x
ohgYosZbRZuVs8PQ2b5Y94v9CvuzONodI4f3dz1cM0Jwd8bswKBUqZJkbwfdMqt3
YBrhH6CFoF0Kck4pVIr9TEpT1GMrngOLOF0wDuHOWEh//2UwWwYKy541Ilz2QE+s
i6kXJLKEENivE2eVwqkm
=9d/u
-----END PGP SIGNATURE-----

Hi,

On Tue, Apr 21, 2009 at 12:25 PM, J. Bakshi <bakshi12@gmail.com> wrote:
> I am running a remote suse server and need to give ssh access to the users who can work > on their particular web folder only.

You might take a look at Limited Shell -
http://ghantoos.org/limited-shell-lshell/

Depending on your level of paranoia and authorization: Sniffy -
http://sniffy.sourceforge.net/

Cheers,
--scm

On Tue, Apr 21, 2009 at 9:25 AM, J. Bakshi <bakshi12@gmail.com> wrote:
> Dear list,
>
> I am running a remote suse server and need to give ssh access to the
> users who can work on their particular web folder only. The version of
> ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd
> features which can allow ssh users to restrict them in their home directory.
> I have found some documentations where chroot or jailkit is used to
> achieve this and these need some more configuration and obviously
> "chown root:root <home-folder>" . But I need an option which simply
> restrict ssh users so that they can't browse beyond their home directory.
> It is also not possible to do "chown root:root <home-folder>" as the
> folders which are used as home directory are actually web folder under
> apache htdocs having apache permission.  I don't need sftp but ssh
> access. Is it really impossible to have this feature through ssh technology ?
>
> Thanks
>

Short answer, "no."

Long answer...

ssh forks the user's login shell, when not using sftp. Because ssh is just a
transport, not a shell, you would need to look into some sort of restricted
shell as the user's login shell, or go all out with a chroot environment that
encapsulates a normal shell.

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

On Wed, 22 Apr 2009 11:21:06 -0600
Benny Helms <benny@egovmt.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> You always have the option of changing their login shell to
> '/bin/bash -s' which locks them in. Unfortunately, it also takes
> away their access to things like, 'ls' and 'cp' and 'vi', etc.,
> unless you include copies in their home folder.
>
> You also need to remember that some apps like 'vim' will allow a user
> a shell escape which can break the limits you set. Make sure to give
> them access only to the secure version. For 'vim' that would be
> 'rvim'.

thanks a lot for the rvim tip.
I am grateful to you to make me aware that vim allows shell access.



>
> Benny
>
>
> J. Bakshi wrote:
> > Dear list,
> >
> > I am running a remote suse server and need to give ssh access to
> > the users who can work on their particular web folder only. The
> > version of ssh server is openssh-5.0p1-21.1
> >
> > I have already did huge google search but could not find any sshd
> > features which can allow ssh users to restrict them in their home
> > directory. I have found some documentations where chroot or jailkit
> > is used to achieve this and these need some more configuration and
> > obviously "chown root:root <home-folder>" . But I need an option
> > which simply restrict ssh users so that they can't browse beyond
> > their home directory. It is also not possible to do "chown
> > root:root <home-folder>" as the folders which are used as home
> > directory are actually web folder under apache htdocs having apache
> > permission. I don't need sftp but ssh access. Is it really
> > impossible to have this feature through ssh technology ?
> >
> > Thanks
> >
>
> - --
>
> Benny Helms
> Unix SysAdmin
> Montana Interactive, LLC
> Office: 406-449-3468 Ext 230
> Mobile: 406-431-5927
> benny@egovmt.com
> Registered Linux user #287649 at http://counter.li.org
>
>
> CONFIDENTIALITY NOTICE:
> This email and any attachments are confidential. If you are not the
> intended recipient, you do not have permission to disclose, copy,
> distribute, or open any attachments. If you have received this email
> in error, please notify us immediately by returning it to the sender
> and delete this copy from your system.
>
> Thank you.
> MT.gov / Montana Interactive
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQIcBAEBAgAGBQJJ71ICAAoJEI4JEV90z/PryDEP/jI7CXpy6wUKcfrIGtjPnqcE
> 7zFCBiUvgP9r5qbtV37JYxllb63V6WsjK557iIXY2s2AG/UJH+/1+B5WbDAz3Z3l
> 0eQ4XNFc9lYgtDIkuRZjfAbB4H0yIgtairyUe57jm1p+ER9LynoD2klobgj+SHjN
> gHhXJmDTeEgCaDnGFe4DavL7WrYeyLEKxS0Dbqt58aXPD54OiGRbrZNKlsIDGnZp
> QSI7phOT7yQ3laU8MF0S07d4f7qm+2GwBeZjTklycaGg5gVGripQtsLtjwEeqMU8
> 8vwq56TWVo7pWbnPgEXqfYtGtWfRaisZn/q0I0vheOj2gb7OSKwqRzerklXU9Mi4
> /TQVvJy9YG6bZPJzOjMaWPEP+kM75Uq45AqqCRGpLh2sF/eP4jsFHjbHthLWzRY3
> fEHqi0mVyTK1D+0++yopb9QGSmSsnoAn+SBFVwLJdhz7e3La3Yw9x9fvEptm/KvI
> cQcBSmnrnKzKSSC6oVfXDAOMzoZQedP8STalcm+WepdyNitWOwiUvyh0s/cXDT2x
> ohgYosZbRZuVs8PQ2b5Y94v9CvuzONodI4f3dz1cM0Jwd8bswKBUqZJkbwfdMqt3
> YBrhH6CFoF0Kck4pVIr9TEpT1GMrngOLOF0wDuHOWEh//2UwWwYKy541Ilz2QE+s
> i6kXJLKEENivE2eVwqkm
> =9d/u
> -----END PGP SIGNATURE-----

I don't really feell it is possible... It goes a little bit outside
the perimeter of sshd here. You should look more on the system side, a
tool such as SELinux may be able to enforce this kind of possible.

(i don't think it is possible but i'm far from being 100% here, if
somebody disagree with me, please do write it :) )

2009/4/21 J. Bakshi <bakshi12@gmail.com>
>
> Dear list,
>
> I am running a remote suse server and need to give ssh access to the users who can work on their particular web folder only. The version of ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd features which can allow ssh users
> to restrict them in their home directory. I have found some documentations where chroot or jailkit is used to achieve this and
> these need some more configuration and obviously "chown root:root <home-folder>" . But I need an option which simply restrict ssh users so that they can't browse beyond their home directory. It is also not possible to do "chown root:root <home-folder>" as the folders which are used as home directory are actually web folder under apache htdocs having apache permission.  I don't need sftp but ssh access. Is it really impossible to have this feature through ssh technology ?
>
> Thanks



--
Romain PELISSE,
"The trouble with having an open mind, of course, is that people will
insist on coming along and trying to put things in it" -- Terry
Pratchett
http://belaran.eu/

i a long time read that is possible

this link show how to, are in spanish, but i remenber already in english
guide.


http://www.linuxparatodos.net/portal/staticpages/index.php?page=como-openssh-chroot

good luck!

--------------------------------------------------
From: "Romain Pelisse" <belaran@gmail.com>
Sent: Thursday, April 23, 2009 11:07 AM
To: <secureshell@securityfocus.com>
Subject: Re: How to restrict ssh user to the home directory ?

> I don't really feell it is possible... It goes a little bit outside
> the perimeter of sshd here. You should look more on the system side, a
> tool such as SELinux may be able to enforce this kind of possible.
>
> (i don't think it is possible but i'm far from being 100% here, if
> somebody disagree with me, please do write it :) )
>
> 2009/4/21 J. Bakshi <bakshi12@gmail.com>
>>
>> Dear list,
>>
>> I am running a remote suse server and need to give ssh access to the
>> users who can work on their particular web folder only. The version of
>> ssh server is openssh-5.0p1-21.1
>>
>> I have already did huge google search but could not find any sshd
>> features which can allow ssh users
>> to restrict them in their home directory. I have found some
>> documentations where chroot or jailkit is used to achieve this and
>> these need some more configuration and obviously "chown root:root
>> <home-folder>" . But I need an option which simply restrict ssh users so
>> that they can't browse beyond their home directory. It is also not
>> possible to do "chown root:root <home-folder>" as the folders which are
>> used as home directory are actually web folder under apache htdocs having
>> apache permission. I don't need sftp but ssh access. Is it really
>> impossible to have this feature through ssh technology ?
>>
>> Thanks
>
>
>
> --
> Romain PELISSE,
> "The trouble with having an open mind, of course, is that people will
> insist on coming along and trying to put things in it" -- Terry
> Pratchett
> http://belaran.eu/
>

On Ter, 2009-04-21 at 21:55 +0530, J. Bakshi wrote:
> Dear list,
>
> I am running a remote suse server and need to give ssh access to the users who can work on their particular web folder only. The version of ssh server is openssh-5.0p1-21.1
>
> I have already did huge google search but could not find any sshd features which can allow ssh users
> to restrict them in their home directory. I have found some documentations where chroot or jailkit is used to achieve this and
> these need some more configuration and obviously "chown root:root <home-folder>" . But I need an option which simply restrict ssh users so that they can't browse beyond their home directory. It is also not possible to do "chown root:root <home-folder>" as the folders which are used as home directory are actually web folder under apache htdocs having apache permission. I don't need sftp but ssh access. Is it really impossible to have this feature through ssh technology ?

You can try rssh:

http://www.pizzashack.org/rssh/index.shtml
http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html

-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.

On Thu, Apr 23, 2009 at 7:57 AM, J. Bakshi <bakshi12@gmail.com> wrote:
> On Wed, 22 Apr 2009 11:21:06 -0600
> Benny Helms <benny@egovmt.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> You always have the option of changing their login shell to
>> '/bin/bash -s' which locks them in.  Unfortunately, it also takes
>> away their access to things like, 'ls' and 'cp' and 'vi', etc.,
>> unless you include copies in their home folder.
>>
>> You also need to remember that some apps like 'vim' will allow a user
>> a shell escape which can break the limits you set.  Make sure to give
>> them access only to the secure version.  For 'vim' that would be
>> 'rvim'.
>
> thanks a lot for the rvim tip.
> I am grateful to you to make me aware that vim allows shell access.

A lot of utilities allow shell access.
more
less
vi
nvi
vim
emacs
nano
pico
awk
...

If you have perl access, you have fork/exec access.

uploading your own binaries that fork/exec...

general shell access is not easy to do securely.

chroot is basically your only choice.

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

Dear list,

thanks a lot for all your kind guidance. I really grateful to you for focusing on different aspects of restricting ssh user.
I have found limited shell or lshell is closer to my requirement. As it is based on python it is heavy on the system but it is not so lengthy to configure like chroot. More over chroot demands "chown root:root <homedir>" and it is not possible here as these home dirs are actually apache webfolders under htdocs hence these should have apache user:group as permission.

So lshell seems work for me.

Thanks once again.





On Thu, 23 Apr 2009 12:20:08 -0500
"Jorge Fco. Rivera" <jorge_grivera@hotmail.com> wrote:

> i a long time read that is possible
>
> this link show how to, are in spanish, but i remenber already in
> english guide.
>
>
> http://www.linuxparatodos.net/portal/staticpages/index.php?page=como-openssh-chroot
>
> good luck!
>
> --------------------------------------------------
> From: "Romain Pelisse" <belaran@gmail.com>
> Sent: Thursday, April 23, 2009 11:07 AM
> To: <secureshell@securityfocus.com>
> Subject: Re: How to restrict ssh user to the home directory ?
>
> > I don't really feell it is possible... It goes a little bit outside
> > the perimeter of sshd here. You should look more on the system
> > side, a tool such as SELinux may be able to enforce this kind of
> > possible.
> >
> > (i don't think it is possible but i'm far from being 100% here, if
> > somebody disagree with me, please do write it :) )
> >
> > 2009/4/21 J. Bakshi <bakshi12@gmail.com>
> >>
> >> Dear list,
> >>
> >> I am running a remote suse server and need to give ssh access to
> >> the users who can work on their particular web folder only. The
> >> version of ssh server is openssh-5.0p1-21.1
> >>
> >> I have already did huge google search but could not find any sshd
> >> features which can allow ssh users
> >> to restrict them in their home directory. I have found some
> >> documentations where chroot or jailkit is used to achieve this and
> >> these need some more configuration and obviously "chown root:root
> >> <home-folder>" . But I need an option which simply restrict ssh
> >> users so that they can't browse beyond their home directory. It is
> >> also not possible to do "chown root:root <home-folder>" as the
> >> folders which are used as home directory are actually web folder
> >> under apache htdocs having apache permission. I don't need sftp
> >> but ssh access. Is it really impossible to have this feature
> >> through ssh technology ?
> >>
> >> Thanks
> >
> >
> >
> > --
> > Romain PELISSE,
> > "The trouble with having an open mind, of course, is that people
> > will insist on coming along and trying to put things in it" -- Terry
> > Pratchett
> > http://belaran.eu/
> >