System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

rbash is great but sftp doesn't work with it

Adam Noble
Super Advisor

rbash is great but sftp doesn't work with it

Hi,

What a nightmare this is turning out to be. I'm amazed this is so difficult. We have a server hosting numerous virtual webservers and we need people to be able to upload information. I don't want them to use sftp for security reasons but clearly sftp does not work with rbash. I need rbash as I do not want them viewing other customers information. In otherwords I do not want them to be able to traverse directories.

So what are my options. Its coming down to using standard ftp which is not ideal. Can anyone help.

Adam
4 REPLIES
Steven E. Protter
Exalted Contributor

Re: rbash is great but sftp doesn't work with it

Shalom,

Use the shell, /bin/false or /sbin/nologin

This blocks login completely from the command line.

It is possible to acheive other results by chrooting sftp.

http://www.linuxforums.org/forum/linux-security/3215-chroot-openssh.html

http://www.linuxforums.org/forum/linux-security/3215-chroot-openssh-2.html

http://archives.neohapsis.com/archives/sf/linux/2001-q4/0189.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Heironimus
Honored Contributor

Re: rbash is great but sftp doesn't work with it

Neither ftp or sftp actually USES the shell, so using rbash will probably not do what you want either way (though some ftp servers offer that level of restriction).

In a web hosting environment I can see no legitimate reason for people to have real shell access, so scponly or rssh may do what you need with a lot less work than a full do-it-yourself chroot setup.

Another option is to just use another mechanism altogether, such as webdav or PUT over HTTPS. But either one probably requires a lot more work on your side.
Court Campbell
Honored Contributor

Re: rbash is great but sftp doesn't work with it

just install vsftpd. in the conf file setup the chroot option to chroot users to their home directory. Also turn off the anonymouns logins. set the users shell to /sbin/nologin. then they can ftp and will be confined to their home directory. Also, they cannot login via ssh, etc.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Court Campbell
Honored Contributor

Re: rbash is great but sftp doesn't work with it

also if the connection needs to be secure you can setup vsftpd up with a certificate. Here is a nice howto:

http://wiki.vpslink.com/index.php?title=Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"