- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: SFTP-jailing specific users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-07-2007 07:15 PM
тАО03-07-2007 07:15 PM
SFTP-jailing specific users
I am using sftp on one of my development box and
I need your help in fixing following problem.
I have a group of users "datausers".All members of users will be using sftp and should be jailed in directory /var/opt/data.
I do not wish "datausers" or me to create any profile or other system files in that directory since my application will be picking up files kept by them in this directory.users should be upload as well as download files from this directory.
Rest all other users should be having normal access to the system.Anonymous users should not be allowed.
OS Version HP-UX 11.11
Please help!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 12:05 AM
тАО03-08-2007 12:05 AM
Re: SFTP-jailing specific users
To jail an user, you must set up the user's home directory path so that it contains a single dot.
Examples:
To make the user "datausr1" see /var/opt/data as the root directory (which will also be his home directory):
usermod -d /var/opt/data/./ datausr1
To make the user "datausr2" see /var/opt/data as the /data directory and make it his home directory:
usermod -d /var/opt/./data datausr2
Unfortunately, this cannot be done in a per-group basis: you must modify each datauser account like this.
If you need the users to be able to use sftp only, you don't need much more than this. Attempts to log in to those user accounts using ssh will fail with a "no shell" error message, as there will be no shell binary inside the chroot environment. To prevent the user from connecting using any other methods, you should change the user's shell into something that does not allow access.
If you can reject the login attempts to datauser accounts without any informative messages to the user, you could set the datausers' shell to /bin/false.
You may need to add /bin/false to /etc/shells to allow them connect using sftp (it may be that sftp login requires that the user has a shell that is listed in /etc/shells). As /bin/false will return immediately without accepting any input, the datauser will be immediately disconnected if he manages to log in using any method other than ssh or sftp.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 01:56 AM
тАО03-08-2007 01:56 AM
Re: SFTP-jailing specific users
http://docs.hp.com/en/T1471-90011/ch01s12.html
there is a section on chroot'ed users and sftp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 02:17 AM
тАО03-08-2007 02:17 AM
Re: SFTP-jailing specific users
I am running another instance of sshd on port 45 with new sshd_config
I am getting following message when tried connecting using coreftp
Can't establish connection --> serverip:45 @ Thu Mar 08 20:42:57 2007 (122-1)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 02:20 AM
тАО03-08-2007 02:20 AM
Re: SFTP-jailing specific users
Court,The solution you mentioned does copy lot of files in the jail.My requirement is not to have anything in jail or directories accessible to user but only the files that user uploads.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 02:52 AM
тАО03-08-2007 02:52 AM
Re: SFTP-jailing specific users
The only thing that should be visible to a jailed user is the files that user recently uploaded. You can write a cron script to move those files elsewhere after the upload has been completed.
Secure shell does not permit anonymous users.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-08-2007 03:17 AM
тАО03-08-2007 03:17 AM
Re: SFTP-jailing specific users
The thing is that I usually use vsftpd instead of sftp for ftp. I usually set vsftpd up to chroot users to their own home directory. I don't think this can be done easily with sftp.