Chroot/jail mechanism in ssh and sftp connections

Thiago Esteves de Oliveira thiago at lamce.coppe.ufrj.edu.br
Wed Apr 11 16:20:40 UTC 2007


Thanks for the suggestion. I intend to study about this possible solution but to save time I'd
like to ask you some questions.

With this software, can I control which accounts "from the unix passwd file" will be able to log in?

If there is a symbolic link in the home directory(jail/chroot) that point to anywhere out of it,
will the users be able to use this symlink? Will they go out from their jail/chroot directory this
way?

Derek Ragona wrote:
> At 10:28 AM 4/10/2007, Thiago Esteves de Oliveira wrote:
>>Hello,
>>I want to use the chroot/jail mechanism in user's ssh and sftp
>>connections. I've read some
>>tutorials and possible solutions to jail/chroot the users into their own home directories. One
is
>>to install the openssh-portable(with chroot option turned on) from the ports collection. I've
installed the openssh-portable, but the jail/chroot mechanism didn't work. I think it requires
some configuration in its sshd_config file, but I'm not sure because I have found nothing about
jail/chroot in the openssh(sshd_config) man pages.
>
> I have implemented a similar setup using vsftpd from the ports.  It works well for secure ftp
when used with the filezilla client.  You can limit the ftp command in the vsftpd configuration
file so users cannot get out of their home directories, which chroots them there.  You do need to
add one thing to the accounts, which is to change their home directory in /etc/passwd adding an
additional dot.  For instance if a users home directory is:
> /home/user
>
> You'd need to change it to:
> /home/./user
>
> vsftpd is well documented and relatively easy to get setup and running.
>
>          -Derek
>








More information about the freebsd-questions mailing list