BSD Guides :: Doing Stuff With FreeBSD, NetBSD, OpenBSD, & Mac OS X

Now serving 108 guides.  RSS Feeds

KeptPrivate - Secure Private E-Mail Provider

Guide Search:

Home | Guides | Requests | Stats
Username: Password: | Forgot Password

Contribute | Register Now
Print View

Chroot Users With sftp
Created: 10/27/2006


General Information

This walkthrough will root your users to their home directory for those users you don't want browsing all over your FreeBSD machine.  I would suggest doing this at your console or possibly running a script to kill all the running sshds and then starting the sshd2 deamon.

Requirements

  1. Console root access

Installation

Install ssh2 from the ports collection:
#
#		 cd /usr/ports/security/ssh2
make install clean

Configuration

In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers directives to chroot the group(s) and/or user(s) that are to have ChRooted access.

Turn off the default ssh (OpenSSH) by setting the following in /etc/rc.conf:
sshd_enable="NO"
Turn on ssh2 by setting the following in /etc/rc.conf:
sshd2_enable="YES"
Now kill sshd and make sure there aren't anymore sshd processes running:
#
#		 killall sshd
ps -auxw | grep sshd
Start the new ssh:
# /usr/local/etc/rc.d/sshd.sh start
When you create the user's account, make sure the shell is set to /bin/nologin or something similar.

With this setup, they can sftp in and are chroot to the home dir and they can't get a shell when they connect via ssh.

In my opinion, OpenSSH should have this feature.  We are told not to use ftp because of clear-text passwords, so we have to use ssh/sftp, but when we do that we can no longer chroot people to their home dirs!  And if we're not careful, we end up giving them a login shell.  Using ssh2 from the ports gets around this limitation, but just check the licence before you install to make sure that you qualify (otherwise it's not free).

Special thanks to:
  1. Gavin (Sh4d03)
  2. Wincent

Author: Bill
wolson at gmail dot com


3 Comments

Posted by till on October 28, 2006 at 6:45:47 pm EEST

OpenSSH had has this feature for a while now. Probably not core, but there has been a patch for it since 2002. Also, when you install OpenSSH on FreeBSD (via ports), it gives you the option to install the patch along with SSH.

I think what you need to install is OpenSSH-portable. And then the menu on make gives you that option. If you don't see a menu, make sure to "make rmconfig" beforehand.

Cheers!

Posted by ericx1982 on December 11, 2006 at 10:20:54 am EET

In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers directives to chroot the group(s) and/or user(s) that are to have ChRooted access.

I am not so clear about this instruction.
Can you show me in detail?

Posted by w0ls0n on December 11, 2006 at 3:08:15 pm EET

Hi,

ChRootGroups and ChRootUsers: any users/groups you want to be Chrooted

Login to comment.

Copyright 2003 - 2010 BSD Guides.  All rights reserved.

About | Terms of Use | Privacy | Contact