security/openssh-portable

Hi,

I'm setting up a 'chrooted' SFTP only set of users:

/etc/make.conf:
.if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
   WITH_SUID_SSH         =yes
   WITH_OPENSSH_CHROOT   =yes
   WITH_HPN              =yes
   WITH_OVERWRITE_BASE	=yes
.endif

/etc/rc.conf:
sshd_enable="NO"
openssh_enable="YES"

/etc/passwd:
user:3000:3000::
0:0:F L:/foo/./user:/bin/sh

Access will be with ssh dsa keys only.

What is the best way to make this SFTP only and not SSH?
1).ssh/authorization?
2) change user's shell to /usr/local/libexec/sftp-server
3) change user's shell to a custom C wrapper around [2]
4) a combination of them





-- 
------------------------------------------------------------
------------
Philip M. Gollucci (philipridecharge.com)
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88
A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Tue, Mar 11, 2008 at 06:08:44PM -0400, Philip M. Gollucci
wrote:

> Hi,
> 
> I'm setting up a 'chrooted' SFTP only set of users:
> 
> /etc/make.conf:
> .if ${.CURDIR:M*/usr/ports/security/openssh-portable*}
>   WITH_SUID_SSH         =yes
>   WITH_OPENSSH_CHROOT   =yes
>   WITH_HPN              =yes
>   WITH_OVERWRITE_BASE	=yes
> .endif
> 
> /etc/rc.conf:
> sshd_enable="NO"
> openssh_enable="YES"
> 
> /etc/passwd:
> user:3000:3000::
0:0:F L:/foo/./user:/bin/sh
> 
> Access will be with ssh dsa keys only.
> 
> What is the best way to make this SFTP only and not
SSH?
> 1).ssh/authorization?
> 2) change user's shell to
/usr/local/libexec/sftp-server
> 3) change user's shell to a custom C wrapper around
[2]
> 4) a combination of them

The usual thing is make the shell   /bin/nologin

////jerry

> 
> -- 
>
------------------------------------------------------------
------------
> Philip M. Gollucci (philipridecharge.com)
> o:703.549.2050x206
> Senior System Admin - Riderway, Inc.
> http://riderway.com /
http://ridecharge.com
> 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F
EC88 A0BF
> 
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
> 
> _______________________________________________
> freebsd-questionsfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

>> user:3000:3000::
0:0:F L:/foo/./user:/bin/sh
> The usual thing is make the shell   /bin/nologin
Hi Jerry, Thanks -- but
Changed to /usr/sbin/nologin

So thats not in the 'chroot' aka /foo/user/usr/sbin/nologin

$ sftp -v -v -v userdevX.domain.tld
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb 2007
debug1: Remote protocol version 1.99, remote software
version 
OpenSSH_4.7p1-hpn12v20
FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1
debug1: match: OpenSSH_4.7p1-hpn12v20 
FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat
OpenSSH*

debug2: channel 0: open confirm rwindow 0 rmax 32768
Request for subsystem 'sftp' failed on channel 0


-- 
------------------------------------------------------------
------------
Philip M. Gollucci (philipridecharge.com)
o:703.549.2050x206
Senior System Admin - Riderway, Inc.
http://riderway.com / http://ridecharge.com
1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F EC88
A0BF

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"

On Tue, Mar 11, 2008 at 06:26:51PM -0400, Philip M. Gollucci
wrote:

> >>user:3000:3000::
0:0:F L:/foo/./user:/bin/sh
> >The usual thing is make the shell   /bin/nologin
> Hi Jerry, Thanks -- but
> Changed to /usr/sbin/nologin
> 
> So thats not in the 'chroot' aka
/foo/user/usr/sbin/nologin

Well, you can  make your own nologin.
Just copy the other one and make it only executable - not
writable.

////jerry

> $ sftp -v -v -v userdevX.domain.tld
> OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.8e 23 Feb
2007
> debug1: Remote protocol version 1.99, remote software
version 
> OpenSSH_4.7p1-hpn12v20
FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1
> debug1: match: OpenSSH_4.7p1-hpn12v20 
> FreeBSD-openssh-portable-overwrite-base-4.7.p1_1,1 pat
OpenSSH*
> 
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> Request for subsystem 'sftp' failed on channel 0
> 
> 
> -- 
>
------------------------------------------------------------
------------
> Philip M. Gollucci (philipridecharge.com)
> o:703.549.2050x206
> Senior System Admin - Riderway, Inc.
> http://riderway.com /
http://ridecharge.com
> 1024D/EC88A0BF 0DE5 C55C 6BF3 B235 2DAB  B89E 1324 9B4F
EC88 A0BF
> 
> Work like you don't need the money,
> love like you'll never get hurt,
> and dance like nobody's watching.
> 
> _______________________________________________
> freebsd-questionsfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"
_______________________________________________
freebsd-questionsfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-que
stions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribefreebsd.org"