Excellent article.
It's a gem, rich and concise, that teaches me a new thing every line. And it is such a useful idea, I know I will come back to it many times in the future.
Thanks!
Discussion on:
View:
Show:
It will save disk space and reduce maintenance work.
You've done it again, man. I've always been a huge fan of openssh, and I really like interesting articles such as this.
What would you think of putting busybox (y'know, the statically-linked command-line shell-in-a-shell swiss army knife) inside the chroot environment, in place of all the other stuff? This would save time, but I suppose if this is a setup that is intended to be replicated repeatedly, you would want to automate that with a shell script or something, anyway.
Just a thought. What think the rest of you?
What would you think of putting busybox (y'know, the statically-linked command-line shell-in-a-shell swiss army knife) inside the chroot environment, in place of all the other stuff? This would save time, but I suppose if this is a setup that is intended to be replicated repeatedly, you would want to automate that with a shell script or something, anyway.
Just a thought. What think the rest of you?
My first instinct is that it would set a minimum level of functionality too high.
If a user doesn't need, tar, ls, cd or some other specific function then I'd leave it out of the chroot environment (ls and cd are stretching it but it's an example). With Busybox, I think you'd need to recompile without the unneeded functions else every user gets more than they need by default.
It may break least privilege by forcing you to open up more than is required by the user.
If a user doesn't need, tar, ls, cd or some other specific function then I'd leave it out of the chroot environment (ls and cd are stretching it but it's an example). With Busybox, I think you'd need to recompile without the unneeded functions else every user gets more than they need by default.
It may break least privilege by forcing you to open up more than is required by the user.
Can you recommend vpn software with a management gui to allow & disallow select folder access & priviledges per user?
(windows or linux, doesn't matter)thanks
(windows or linux, doesn't matter)thanks
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
>>> Only chroot for SFTP, but we are using SSH services and bash shell, what do we configuration for SSH and using command at home's bash shell
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
>>> Only chroot for SFTP, but we are using SSH services and bash shell, what do we configuration for SSH and using command at home's bash shell
Doing this with crash SSH if you don't have the right version of OpenSSH installed. If you can't walk over to the server, then you will be locked out and need to have your host provider manually fix the issue at the server itself.
If you have *any doubts*, temporarily enable Telnet so that you can have a backdoor in to fix your sshd_config file if needed.
I followed advice which led people to believe that you can have an old version, say 3.9 on CentOS, that if your server does regular updates your version has been backported and all necessary patches have been applied. DO NOT RELY ON THIS! Manually install the update if your version is not up to date.
If you have *any doubts*, temporarily enable Telnet so that you can have a backdoor in to fix your sshd_config file if needed.
I followed advice which led people to believe that you can have an old version, say 3.9 on CentOS, that if your server does regular updates your version has been backported and all necessary patches have been applied. DO NOT RELY ON THIS! Manually install the update if your version is not up to date.
... this little post and was very much astonished as to how well it answered the very problems I was experiencing. Just wanted to relay a warm and heartfelt thanks. Driveway Lights | Outdoor String Lights
does this work with slackware 13.37 ?? this seems very simple/cut and dry.... great way to confine users.... just hope i can make it work with on slackware box
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
