SFTP only access in chrooted jail?
Hi
I'm trying to make it so a user only has sftp access in a chrooted jail.
I've tried following a couple walkthroughs with no success
http://www.macresearch.org/restricted-sftp-mac-os-x-leopard
http://www.debian-administration.org/articles/590
This is 10.6.2 Server.
I created my user and ran the following steps as root.
chmod g-w /
chmod g-w /Volumes/HD
chown root /Volumes/HD
mkdir /Volumes/HD/user_dir
chown user /Volumes/HD/user_dir
chmod 700 /Volumes/HD/user_dir
I've added this to my sshd.config file:
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /Volumes/HD
ForceCommand internal-sftp
Here is what I get when I try to ssh or sftp:
sftp user@localhost
Connecting to localhost...
Password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).
Connection closed
Any helps is greatly appreciated.
Thanks.
hmmm strange. think i figured it out.
finall went with
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /chroot
ForceCommand internal-sftp
create a new dir chroot and another dir inside it.
the Chroot must be own by root and groups or other cannot have write access to any of it.
the dir i created inside chroot is chmod 700 and owned by my user.
it looks like because ChrootDirectory must have the directory own by root and unwritable by others, you can't direct your user directly to their locked down dir. they must sftp in to chroot then cd to their folder.
not sure how to get around this.
Similar Messages
-
How to restrict "sftp only" user into your home dir and subdir
Hi OTN forums members
Question : I want restrict a sftp only user to browse ONLY in your home directory and subdirectory . I don't want sftp user access into other directory.
Details : I want use a "ssh bundle package" on s10(only package on SUNWCXall installation cluster). I don't want to use the "extrernal package", as "ProFTP", "Chroot", sunfreeware OpenSSH package,ecc. It's possible?
Technical Details of my system(test) : the hostname and username it's fantasy name, not real ;-)
root@sunlab1:/[1]$ cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
root@sunlab1:/[2]$ uname -a
SunOS sunlab1 5.10 Generic_142909-17 sun4u sparc SUNW,Sun-Blade-100
root@sunlab1:/[3]$ grep explorer /etc/group
explorer::111:
root@sunlab1:/[4]$ grep explorer /etc/passwd
explorer:x:111:111:Sun Explorer Data Collector sftp only user:/export/home/explorer:/usr/lib/ssh/sftp-server
root@sunlab1:/[5]$ zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 27.3G 9.33G 96K /rpool
rpool/ROOT 11.6G 9.33G 18K legacy
rpool/ROOT/s10s_u7wos_08 11.6G 9.33G 11.6G /
rpool/cfengine 73.7M 950M 73.7M /var/cfengine
rpool/dump 1.00G 9.33G 1.00G -
rpool/export 5.01G 9.33G 11.8M /export
rpool/export/home 1.40G 3.60G 1.40G /export/home
rpool/mp3 2.65G 2.35G 2.65G /mp3
rpool/patches 206M 2.80G 206M /var/patches
rpool/swap 768M 9.58G 514M -
root@sunlab1:/[6]$
root@sunlab1:/[7]$ cd /export/home
root@sunlab1:/export/home[9]$ ls -la
total 47
drwxr-xr-x 5 root root 9 Oct 7 09:51 .
drwxr-xr-x 4 root sys 6 Jun 7 09:44 ..
drwxr-x--- 11 explorer explorer 11 Oct 7 11:30 explorer
root@sunlab1:/[8]$ sftp explorer@sunlab1
Connecting to sunlab1...
Password:
sftp> dir
[...more output...]
sftp> pwd
Remote working directory: /export/home/explorer
sftp> cd /var/adm
sftp> dir
[...more output...]
sftp> get messages
Fetching /var/adm/messages to messages
sftp> pwd
Remote working directory: /var/adm
sftp> bye
root@sunlab1:/[9]$
root@sunlab1:/[10]$ pkginfo -l SUNWsshr
PKGINST: SUNWsshr
NAME: SSH Client and utilities, (Root)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Client and associated Utilities
[...snip...]
root@sunlab1:/[11]$ pca -l installed --pattern=[Ss]sh
[...snip...]
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: installed (3/584)
Patch IR CR RSB Age Synopsis
141742 04 = 04 -S- 427 Obsoleted by: 141444-09 SunOS 5.10: sshd patch
143140 04 = 04 RS- 119 Obsoleted by: 143559-03 SunOS 5.10: ssh patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[12]$ pca -l 141444 143559
Using /var/patches/pca/patchdiag.xref from Oct/14/10
Host: sunlab1 (SunOS 5.10/Generic_142909-17/sparc/sun4u)
List: 141444 143559 (2/405)
Patch IR CR RSB Age Synopsis
141444 09 = 09 RS- 367 SunOS 5.10: kernel patch
143559 03 = 03 RS- 38 SunOS 5.10: ssh scp patch
root@sunlab1:/[13]$Legenda:
PCA = [url http://www.par.univie.ac.at/solaris/pca/] Patch Check Advanced , PCA is 3PP free and fast tool for Analyze, download and install patches for Solaris
IR =Installed Rev. CR = Current Rev. (published on patchdiag.xref from Oct/14/10)
RSB =[R]eccommended,[S]ecurity, [\B]ab patches
Not helpful reading "<tt>man sshd_config</tt>" and "<tt>man sftp-server</tt>", and Google searching. Nothing by MOS Community search.
Any idea?
Best Regards
Michele V.
P.S.: Excuse me for my bad English.Hi OTN forums members,
I find the solution. Thanks Andrea Manganaro (aka Amanga) for the help.
1) Download and install OpenSSH for Solaris 10/SPARC and all dependencies(Please read the http://www.sunfreeware.com/openssh.html note):
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssh-5.6p1-sol10-sparc-local.gz]openssh-5.6p1-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/openssl-1.0.0a-sol10-sparc-local.gz]openssl-1.0.0a-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/zlib-1.2.5-sol10-sparc-local.gz]zlib-1.2.5-sol10-sparc-local.gz
- [url ftp://ftp.sunfreeware.com/pub/freeware/sparc/10/libgcc-3.4.6-sol10-sparc-local.gz]ibgcc-3.4.6-sol10-sparc-local.gz
2) Configure <tt>/usr/local/etc/sshd_config</tt> file with the "+<tt>ChrootDirectory</tt>+" directive. For me:
# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp[...]
# Example of overriding settings on a per-user basis
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no3) Create group and user for sftp-only account. For me:
root@taurus # groupadd sftponly
root@taurus # grep sftponly /etc/group
sftponly::202:
root@taurus # useradd -g sftponly -c "Sftp only user" -d /export/home/explorer -s /bin/false -m explorer
explorer:x:1002:202:Sftp only user:/export/home/explorer:/bin/false
root@taurus # passwd explorer
New Password:
Re-enter new Password:
passwd: password successfully changed for explorer
root@taurus # 4) Change home directory permission and create a r/w direcorty (uploads) for sftponly user account.
root@taurus # cd /export/home
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-xr-x 3 explorer sftponly 3 Oct 29 15:41 explorer
root@taurus # chown root:sftponly explorer; chmod 750 explorer
root@taurus # ls -la
total 14
drwxr-xr-x 4 root root 4 Oct 29 15:28 .
drwxr-xr-x 3 root sys 3 Jan 22 2009 ..
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 explorer
root@taurus # This will make a read-only, chrooted directory perfect for people to come in and get stuff, but never write.
For example, you could make a directory explorer/uploads that allow people to write in.Then you can moderate what gets copied into the read-only /explorer area. Remember that if a user can write in a directory then they can also delete anything in that directory.
root@taurus # cd explorer
root@taurus # mkdir uploads && chown -R explorer:sftponly uploads && chmod 0755 uploads
root@taurus # ls -al
total 9
drwxr-x--- 3 root sftponly 3 Oct 29 15:41 .
drwxr-xr-x 4 root root 4 Oct 29 15:28 ..
drwxr-xr-x 2 explorer sftponly 2 Oct 29 15:56 uploads
root@taurus # 5) Disable SunSSH "service" and enable OpenSSH "service" (with SMF):
root@taurus # svcadm disable sshSee [url http://www.sunfreeware.com/sshsol10.html]here for Running openssh vis SMF on Solaris 10 Systems
root@taurus # svcadm disable ossh
root@taurus # svcs -a | grep ssh
disabled 12:37:51 svc:/network/ssh:default
online 15:29:41 svc:/network/ossh:default
root@taurus # 6) Test your job :-)
Helpful links:
==============
http://www.sunfreeware.com
http://www.openssh.org
http://calomel.org/sftp_chroot.html
HTH
Michele Vecchiato -
I want to run rtorrent in a chroot jail. Correct me if wrong, but jailing rtorrent would consume much more RAM cause rtorrent will not use libraries that it needs and may be already in memory.
So I wonder, why people just don't create a new user, install ACL, block everything to that user but read access to /lib and some config files, and execute permission to only the needed binaries. It would be easy to do since as I understand if you block all /bin permissions to the restricted user, all future files there will inherit those permissions. The only problem I see is that if you update, you will have to set some permissions again, easily fixed with a script. ACL seems much more easier to setup than chroot jails!
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
So, why is it that people seem to prefer chroot jails? Does installing ACL has some kind of performance penalty?_Mike_ wrote:Does installing ACL has some kind of performance penalty?
Do you mean Mandatory Access Control? Filesystem ACL is already installed on every Linux system.
When you run rtorrent under that restricted user, even if rtorrent is exploited, the attacker will not be able to do much, as ACL will not let him execute but basic commands.
Chroot jails were not created to be used as a security tool and are very easy to break out of. Filesystem ACL is very limited in scope and also provides little security.
You might want to look into using Mandatory Access Control (MAC) which is available with TOMOYO Linux, AppArmor, SELinux or SMACK. SELinux is the most powerful, but will take a long time to master. TOMOYO Linux is easier to use and the relevant packages are already in [community]. See the wiki page for more information.
All MAC implementations have a small degree of performance penalty. SELinux probably has the greatest penalty, but overall you probably won't notice anything with any of the implementations.
Last edited by jnguyen (2011-04-13 06:48:36) -
I've got a running chroot-jail to allow semi-trusted users ssh-access to my webhosting server. The problem is that they can't change their passwords because `passwd` can't access files outside the chroot-jail (as it's suppose to be). I've read about someone solving this using nsswitch.conf and some sort of setup to make it possible for the users to change their passwords.
The question is basically, how do I get around this problem, making it possible for the logged in users to change their own password?Oh what a tangled web we weave. I read up on keychain and I don't understand what I'm reading. Right now I cannot download my email on my computer, I can access it through the cloud. I'm sure it will be the same for the other iCloud feathers. When I go to preferences and select iCloud when ever I try to sign in I get some dialog box it shows up "A keychain cannot be found to store 1076701306. It doesn't matter whether I reset it or cancel it out iCloud preferences remains grayed out.
In keychain access on the left side under keychains and Read's local item, systems, and systems roots.
When I select local items nothing shows up to the right under the name column even when down under all items is selected nothing shows up. And nothing shows up to the right when under categories I selected the other options password etc. On the other hand when I select under keychains systems, systems roots I do get items to show up on the right side under names under all items, passwords, etc. Where do I start? -
I have a game center account that has 2 accounts in the same apple id. the problem is i can only access one account. when i try to type in for the second account it says already taken. How do i change to the 2nd account with the same apple id? Please help.
that's the issue, you bought the OS online so Donald is right, it is being mailed to you. post the URL where you bought it.
the 'app store' is an application running on OSX itself where you can DL software.
so, you have to wait for mountain lion to arrive.
if you want to get a clean OS on your machine now, do this
reboot holding down command/option/R (hoping your machine supports this)
open disk utility, erase your HD so you have a single mac journaled partition
choose install OSX on this HD
let it run. from what you said, you will be back on lion. -
Can only access emails through OWA after migration from exchange 2007 to 2013
can only access emails through OWA after migration from exchange 2007 to 2013, in other words unable to access mails through outlook or from other Applications services.
needed RCA ... plz help..Hi,
From your description, you can send and receive messages only when you use OWA after migration from Exchange 2007 to Exchange 2013. If I have misunderstood your concern, please let me know.
In your case, I recommend you create a new test mailbox in your Exchange 2013 and check if you can send and receive messages on Outlook. If yes, it is recommended to create a new profile to solve this issue.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support -
I have two apple accounts, but can only access one. I did all the steps to recover the older account's password but nothing worked. I need to access the older account to update apps. Also would there be a way to just combine both accounts?
Were you able to reset the account's password ? If not then how did you try to get it reset e.g. http://iforgot.apple.com (which would have sent it to the rescue email address if you have one on that account) ? You can also try contacting iTunes Support in your country to get it reset : http://support.apple.com/kb/HT5699
And no, accounts can't be merged nor content transferred between accounts. -
On imac 10.6.8 using current version of Aperture. How can I access the Aperture Library on my external hard drive that I use with time machine for backup? I can only access the application but not the library..
Go into Time Machine (the program not the bundle on the extrnal disk) and using Time Machine's browser go to the Folder where the library lives. You could look in the library bundle in Time Machine but that won't really tell you much,
If you want to make sure it truely has backed up your library you will need to restore it and open the restored library with Aperture.
If all this still has you confused you need to read up on Time Machine in order to get a feel for how it works, for what it is doing and for how to restore files from it. -
I have a Mac Mini and a MacBook, both were configured at home to access the time capsule. I have since moved the mini to work to use there and it has no issues looking up files on the time capsule which remains at home. The macbook whoever can only access the time capsule from within the home network. I can't seem to find what I may have done differently. Can anybody help?
Not sure if your allowed to post two questions, but it's may be related. I find that accessing the files on the time capsule from the mac mini or the macbook is very slow. Accessing the same files from an older HP laptop is as fast as accessing its own hard drive. How can I speed up the accessing of these files from my apple products. One would think they would work fast and the 'windows' computers would take minutes to map the drive each time...
Thanks for any help.I have since moved the mini to work to use there and it has no issues looking up files on the time capsule which remains at home.
This cannot happen by magic though.. you must have configured the mini to access the TC remotely.. which method are you using, BTMM and iCloud??
The macbook whoever can only access the time capsule from within the home network. I can't seem to find what I may have done differently. Can anybody help?
How is the Macbook configured to access the TC remotely?? If you are trying to use BTMM and iCloud, then it might be a case that with the mini running the connection cannot be done by more than one computer at a time.. this is generally the case although I do not know if that is specifically true of BTMM method. Try turning off the mini and leave it off.. (off not standby)... then reboot the TC when you are at home.. and then try and connect the laptop to the TC the next morning from work. See if it is then able to capture the connection.. if so start up the mini and I suspect it now will not be able to connect.. that will prove that the TC cannot cope with two remote connections.
There also could be another factor in here. If you are accessing the laptop via the same router as the mini is on.. then actually you cannot have two users mount the same files on a TC.. from the same IP address.. as far as the TC is concerned both devices have identical IP, that is the public IP of the work location router.
If you happen to not be using BTMM then the situation is even easier.. you cannot make two different devices connect to the same network resource using the same port. That is the failing of the NAT system.. one device uses the port then it cannot be used by a second device. You will need to do some fancy footwork and use a different port.
Anyhow tell us exactly how you are doing remote access.. otherwise I am just guessing.
Not sure if your allowed to post two questions, but it's may be related. I find that accessing the files on the time capsule from the mac mini or the macbook is very slow.
Are you talking about files you are hosting on the TC?? Not Time Machine backups??
Can you tell me exactly how you are accessing the TC.. please do a test..
Copy a file to the TC and from the TC using the Laptop.. Use a single very large file, eg 1GB movie file.
Give me a read and write speed.. you can use activity monitor to give me an aprox average speed as well as peak.
Do the same test from the same computer with wireless turned off running ethernet.
Then do the tests from the mini.. same ones.. copy large file to and from the TC by ethernet and by wireless.. when using ethernet make sure wireless is off.
I strongly recommend you set IPv6 to link local only for your wireless and ethernet setup in the Mac.
eg
Now do the test from the HP laptop and give me the results from that.
Is the issue wireless only.. ??
Then you might need to spend a bit of time fixing the wireless in the Macs.. you can run wireless diagnostics in Mavericks.
About Wireless Diagnostics -
I have 2 game centers on 1 Apple ID and it will only access 1 of them may someone tell me how to access the other one
You don't have to use the same ID for iCloud as you do for purchasing. You can just set up iCloud using your other ID.
If your have already have another account, you have to go to Settings>iCloud, tap Delete Account, choose Keep on My iDevice when prompted, set up your new account with the other ID, turn on your iCloud data syncing and when prompted, choose Merge to upload your data to the new account. -
I saved photos from my Macbook Pro onto my Iphone (using itunes, 4 years ago). My macbook is now dead and I need to get the photos I saved off of my iphone 3GS transferred to a pc. Any help... From my PC I can only access "internal storage"
The iphone is not a storage/backup device. The picture sycn is one way - computer to iphone. The photos are also reduced in size when synced to iphone so they are not of the original quality
It has always been very basic to always maintain a backup of your computer.
Have you failed to do this?
If so, not good at all, you can e-mail the pics to yourself - keep in mind they will never be of the original quality -
Read Only Access to Storage Container
Is it possible to give Read Only access to a particular storage container without adding someone to Subscription and providing them the access key without anonymous request without going through SAS route
By default, a container and any blobs within it may be accessed only by the owner of the storage account. If you want to give anonymous users read permissions to a container and its blobs, you can set the container permissions to allow public access. Anonymous
users can read blobs within a publicly accessible container without authenticating the request.
This link gives full details
https://msdn.microsoft.com/en-us/library/azure/dd179354.aspx
Frank -
Read Only access to UCCX server
Hi,
I would like to know if it was possible to create an account for Read Only access for server in UCCX 8.02.
SaimaSaima,
Unfortunately no it is not, you have either Admin access or supervisor access. The admin access has full access and supervisor access allows configuration of the RM subsystem either foe own team or all teams.
HTH,
Chris -
Read-Only Access to Specific SAP tables
Is it possible to grant a user read-only access to a specific table or tables?
For example, say I wanted to give someone SE16N capability for just EKKO/EKPO/EKBE and NO OTHER tables. Is this possible? How?
Thanks.Hi,
as it was mentioned the transaction SE16N checks for authorization object S_TABU_DIS. The problem in your case is that the tables EKKO, EKPO and EKBE are already assigned to the authorization group MA - MM Appl. table. But there are many more tables assigned to this group. Changing assignment of standard tables is not a good idea.
Cheers -
Read Only access to tablespace
Hi,
Oracle 10.2.0.4
How can I grant read only access to a tablespace for a user.
ThanksIt is no ussual.... a tablespace is a box where one or more user store his data... sure you do not want to say user and not tablespace?
Grant select to the objects of this tablespace...DBA_TABLES or ALL_TABLES...
Select 'GRANT SELECT ON ' || OWNER || '.' || TABLE_NAME || ' TO <USERNAME> ' FROM DBA_TABLES WHERE TABLESPACE_NAME = <TABLESPACE>
Maybe you are looking for
-
Interactive report: Can I exclude a particular column from single row view?
Hi -- I posted on this yesterday (Possible to exclude interactive report column from single row display? a bit anxious for suggestions, I guess! I've added a column with edit-link functionality to my interactive report query (that is, the link is not
-
My command key on my macbook pro retina 2014 is sinking
So I have recently bought a Macbook pro retina 13 inch 2014 model. I have been using it a lot lately especially for typing and using the command key. I notice that my left command key is sinking or in other words, the left command key is much lower o
-
FTP using Runtime class ...Please Help ??
Hi, I am trying to ftp a file programatically. I am trying to use Runtime class but facing problems in it.This is what I am trying to do : Runtime rr = Runtime.getRuntime(); String[] cmds = new String[2]; cmds[0]="username=rahmed"; cmds[1]="password=
-
I have a problem with my nokia 6710 navigator, it always flashes a message that memory full delete or move data from Chone memory but i am struggling to move or delete since i cnt find C folder? please assist?
-
Hi to all I want to create a dynamic reporting tool , in which user can add & delete no of columns from database table and for selected columns , user want to generate reports. Can any one give me idea about Java API or any other API that we can use