chroot scp only network storage?
Matthew Law
matt at webcontracts.co.uk
Wed May 26 08:27:21 UTC 2010
On Tue, May 25, 2010 11:05 pm, Matthew Seaman wrote:
> Checkout the security/openssh-portable port which has options to enable
> chroot'ing. You should be able to configure the account to only be able
> to use scp(1) or sftp(1) by editing sshd_config or by using forced
> commands in the user authorized_keys files.
This sounds pretty close to what I want. I don't want the user to be able
to get a shell on the box but do want to allow them to run a small subset
of useful commands over ssh such as 'ls' and of course scp files to and
from it.
> Another alternative is WebDAV. Run it over HTTPS for security, and use
> the standard Apache authn/authz controls to give each user access to
> only their own area. In principle your users can mount their WebDAV
> areas as networked filesystems on their desktops. In practice, this
> works fine with MacOS X, is horribly buggy under Windows, needs quite a
> lot of effort to make work on Linux, and I don't think it's actually
> available at all on FreeBSD. However, commandline clients like cadaver
> will work fine on anything Unixy.
I've had problems with exactly this before on linux. I only need to allow
linux, FreeBSD and Solaris users access to this resource so will persevere
with something SSH based I think.
Thanks,
Matt.
More information about the freebsd-questions
mailing list