IT-Blog
limit user rights - Jail Shell SFTP (Debian)
- Details
- Erstellt am Sonntag, 08. November 2009 18:23
By default a user in user has a lot of rights, nothing really critical, but why allow him to peak in any config files if he doesn't really need to? So i was looking for a way to limit the rights of a remote user, without the need to chmod a lot of files. The first way i found was to create a jail shell. This is a pretty cool way to limit a user to a handful of commands and prevent him of leaving his home-directory. It works either with SFTP (easy) and SSH (bit more of configuration) and can either be applied to a user or a group. The user is named "heinzi" in this example:
SFTP
user
Match User heinzi
ChrootDirectory /home/heinzi
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
group
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
restart ssh
/etc/init.d/ssh restart
The user should now be limited to his homedirectory.
julius
Posted at 2010-11-20 20:51:59
/etc/ssh/sshd_config line 88: Directive 'UsePAM' is not allowed within a Match block
its not work for me
Manfred Hofbauer
Posted at 2010-11-22 08:47:23
Works fine at my side, I tested it by adding the lines with a existing user at the end of the file. Be sure to remove spaces before and after, and not to copy any additional cr/lf.
Auf Kommentar antworten