[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] SSH Jailing? Disable viewing of dot files/folders with SCP clients?



Jim Kronebusch wrote:

I would like to disable access from outside to our server via ftp. I would like to offer access in the future via SCP over SSH. Now with ftp I could say go into the vsftp.conf and set an option to jail users to their home directory, then they could browse the entire server. But when I enable the use of ssh and connect with a client such as WinSCP (Windows) or Gftp (Linux) or Fugu (OSX) I can browse the entire server. So I googled ssh jail /home and all solutions I find recommend creating some sort of /jail directory and relocating /home inside it such as /jail/home/ username or /home/jail/home/username. I don't really like the sound of that and don't fully
understand what that could break in terms of LTSP and other apps.

Does anyone know of a way to keep users from traversing out of / home with modification of sshd.conf or at least with an add-on that doesn't require messing with the standard
layout of /home?

I don't know if you want to allow shell access at all, but you might want to install scponly and set that as your user's shell. scponlyc is a chrooted scponly binary which might be suitable for your needs. If you enable the rpmforge yum repository you can 'yum install scponly'. (If you're compiling from source you'll want to use the -- enable-chrooted-binary flag when configuring.)

Second minor problem is how to eliminate display of dot files when viewing with and SCP client. I would like to disable display of dot files on the server side to eliminate the need of client modifications. Any suggestions there would be helpful as well (I don't want users to delete or even know that the dot files or directories even exist). I am okay with users being able to change a setting on their client to purposely display the dot files/folders, but I would like it to default to not displaying. I figure if they know enough to make a change to display the files, they must already know they
exist, and would then likely understand their role/importance.

I think it depends on the SCP client whether dot files are shown or not. I don't think you can change anything on the server to influence this.

Nils Breunese.

Attachment: PGP.sig
Description: Dit deel van het bericht is digitaal ondertekend


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]