Limiting system and filesystem access

Tobias Speckbacher TSpeckbacher at quova.com
Fri Dec 9 16:49:15 UTC 2005 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of McDougall, Marshall (FSH)
> Sent: Friday, December 09, 2005 8:24 AM
> To: General Red Hat Linux discussion list
> Subject: RE: Limiting system and filesystem access
> 
> Thanks, Ed.  Maybe I'll just have to be happy with the rssh solution.
> It's not perfect, but it's better than nothing.
> 
> Regards, Marshall
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Ed Wilts
> Sent: Thursday, December 08, 2005 12:36 PM
> To: General Red Hat Linux discussion list
> Subject: Re: Limiting system and filesystem access
> 
> 
> On Thu, Dec 08, 2005 at 11:19:46AM -0600, McDougall, Marshall (FSH)
> wrote:
> > I apologize if this is too OT.
> 
> It's absolutely on topic.
> 
> > So my burning question is:  How do I give this user sftp access only
> to
> > a very limited area of my system?  Any assistance appreciated.
> 
> There is no supported and secure method of chroot'ing a user using
> openssh.  Sadly enough, any number of open source FTP servers will
> gladly do this for you making FTP *more* secure than SFTP for this
type
> of application.  This is especially true if you can make ftp/tls work
> for you.

ftp/tls would be my preferred solution.  However if you are forced to
stick with ssh/scp you can take a look at
http://www.sublimation.org/scponly/.
It basically is a shell that only permits scp/sftp interaction and can
chroot the user to where you want him to be.


> 
> What we're doing is buying the Tectia SSH server for our
external-facing
> servers.  It's commercial but will give us secure chroot'ed access to
> the file systems for our external customers.
> 
>         .../Ed
> 
> --
> Ed Wilts, RHCE
> Mounds View, MN, USA
> mailto:ewilts at ewilts.org
> Member #1, Red Hat Community Ambassador Program
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list