Limiting system and filesystem access
Tobias Speckbacher
TSpeckbacher at quova.com
Fri Dec 9 16:49:15 UTC 2005
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of McDougall, Marshall (FSH)
> Sent: Friday, December 09, 2005 8:24 AM
> To: General Red Hat Linux discussion list
> Subject: RE: Limiting system and filesystem access
>
> Thanks, Ed. Maybe I'll just have to be happy with the rssh solution.
> It's not perfect, but it's better than nothing.
>
> Regards, Marshall
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Ed Wilts
> Sent: Thursday, December 08, 2005 12:36 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Limiting system and filesystem access
>
>
> On Thu, Dec 08, 2005 at 11:19:46AM -0600, McDougall, Marshall (FSH)
> wrote:
> > I apologize if this is too OT.
>
> It's absolutely on topic.
>
> > So my burning question is: How do I give this user sftp access only
> to
> > a very limited area of my system? Any assistance appreciated.
>
> There is no supported and secure method of chroot'ing a user using
> openssh. Sadly enough, any number of open source FTP servers will
> gladly do this for you making FTP *more* secure than SFTP for this
type
> of application. This is especially true if you can make ftp/tls work
> for you.
ftp/tls would be my preferred solution. However if you are forced to
stick with ssh/scp you can take a look at
http://www.sublimation.org/scponly/.
It basically is a shell that only permits scp/sftp interaction and can
chroot the user to where you want him to be.
>
> What we're doing is buying the Tectia SSH server for our
external-facing
> servers. It's commercial but will give us secure chroot'ed access to
> the file systems for our external customers.
>
> .../Ed
>
> --
> Ed Wilts, RHCE
> Mounds View, MN, USA
> mailto:ewilts at ewilts.org
> Member #1, Red Hat Community Ambassador Program
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list