[K12OSN] SSH Jailing? Disable viewing of dot files/folders with SCP clients?

Nils Breunese nils at breun.nl
Wed Aug 1 15:10:02 UTC 2007 

Jim Kronebusch wrote:

> I would like to disable access from outside to our server via ftp.   
> I would like to
> offer access in the future via SCP over SSH.  Now with ftp I could  
> say go into the
> vsftp.conf and set an option to jail users to their home directory,  
> then they could
> browse the entire server.  But when I enable the use of ssh and  
> connect with a client
> such as WinSCP (Windows) or Gftp (Linux) or Fugu (OSX) I can browse  
> the entire server.
> So I googled ssh jail /home and all solutions I find recommend  
> creating some sort of
> /jail directory and relocating /home inside it such as /jail/home/ 
> username or
> /home/jail/home/username.  I don't really like the sound of that  
> and don't fully
> understand what that could break in terms of LTSP and other apps.
>
> Does anyone know of a way to keep users from traversing out of / 
> home with modification
> of sshd.conf or at least with an add-on that doesn't require  
> messing with the standard
> layout of /home?

I don't know if you want to allow shell access at all, but you might  
want to install scponly and set that as your user's shell. scponlyc  
is a chrooted scponly binary which might be suitable for your needs.  
If you enable the rpmforge yum repository you can 'yum install  
scponly'. (If you're compiling from source you'll want to use the -- 
enable-chrooted-binary flag when configuring.)

> Second minor problem is how to eliminate display of dot files when  
> viewing with and SCP
> client.  I would like to disable display of dot files on the server  
> side to eliminate
> the need of client modifications.  Any suggestions there would be  
> helpful as well (I
> don't want users to delete or even know that the dot files or  
> directories even exist).
> I am okay with users being able to change a setting on their client  
> to purposely display
> the dot files/folders, but I would like it to default to not  
> displaying.  I figure if
> they know enough to make a change to display the files, they must  
> already know they
> exist, and would then likely understand their role/importance.

I think it depends on the SCP client whether dot files are shown or  
not. I don't think you can change anything on the server to influence  
this.

Nils Breunese.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: Dit deel van het bericht is digitaal ondertekend
URL: <http://listman.redhat.com/archives/k12osn/attachments/20070801/1fa6a9b6/attachment.sig>

More information about the K12OSN mailing list