HPE Community
Operating System - Linux
1753366 Members
5371 Online
108792 Solutions
New Discussion юеВ

Re: rbash is great but sftp doesn't work with it

 
Adam Noble
Super Advisor

тАО04-04-2007 02:14 AM

тАО04-04-2007 02:14 AM

rbash is great but sftp doesn't work with it

Hi,

What a nightmare this is turning out to be. I'm amazed this is so difficult. We have a server hosting numerous virtual webservers and we need people to be able to upload information. I don't want them to use sftp for security reasons but clearly sftp does not work with rbash. I need rbash as I do not want them viewing other customers information. In otherwords I do not want them to be able to traverse directories.

So what are my options. Its coming down to using standard ftp which is not ideal. Can anyone help.

Adam
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО04-04-2007 02:45 AM

тАО04-04-2007 02:45 AM

Re: rbash is great but sftp doesn't work with it

Shalom,

Use the shell, /bin/false or /sbin/nologin

This blocks login completely from the command line.

It is possible to acheive other results by chrooting sftp.

http://www.linuxforums.org/forum/linux-security/3215-chroot-openssh.html

http://www.linuxforums.org/forum/linux-security/3215-chroot-openssh-2.html

http://archives.neohapsis.com/archives/sf/linux/2001-q4/0189.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Heironimus
Honored Contributor

тАО04-04-2007 03:11 AM

тАО04-04-2007 03:11 AM

Re: rbash is great but sftp doesn't work with it

Neither ftp or sftp actually USES the shell, so using rbash will probably not do what you want either way (though some ftp servers offer that level of restriction).

In a web hosting environment I can see no legitimate reason for people to have real shell access, so scponly or rssh may do what you need with a lot less work than a full do-it-yourself chroot setup.

Another option is to just use another mechanism altogether, such as webdav or PUT over HTTPS. But either one probably requires a lot more work on your side.
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО04-04-2007 04:47 AM

тАО04-04-2007 04:47 AM

Re: rbash is great but sftp doesn't work with it

just install vsftpd. in the conf file setup the chroot option to chroot users to their home directory. Also turn off the anonymouns logins. set the users shell to /sbin/nologin. then they can ftp and will be confined to their home directory. Also, they cannot login via ssh, etc.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО04-04-2007 04:49 AM

тАО04-04-2007 04:49 AM

Re: rbash is great but sftp doesn't work with it

also if the connection needs to be secure you can setup vsftpd up with a certificate. Here is a nice howto:

http://wiki.vpslink.com/index.php?title=Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.