Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ssh/ftp only accounts

1 view
Skip to first unread message

mg-f...@grant.org

unread,
Jun 20, 2002, 4:19:23 PM6/20/02
to
Can someone please tell me what the recommended way to set up an
account such that the user can only ftp and scp to a chrooted
directory? (i.e. no login shell).


To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

sta...@hermes-comp.zp.ua

unread,
Jun 21, 2002, 2:42:14 AM6/21/02
to
Greetings!

On Thu, 20 Jun 2002, Michael Grant wrote:

> Can someone please tell me what the recommended way to set up an
> account such that the user can only ftp and scp to a chrooted
> directory? (i.e. no login shell).
>

Here it is (imho, of course):
1. Create user with shell like /bin/date or something like this (You
may want to add this command to /etc/shells).
2. Allow this user access to desired services.

Hope this help. If You need additional info on getting access to
ftp/scp, don't hesitage and mail me.

With best regards,

Alexander V Zubchenko, E-Mail: sta...@hermes-comp.zp.ua
System Administrator, WWW: http://www.hermes-comp.zp.ua/
Hermes-comp,
Ukraine,
Zaporizhzhya,
Geroev Stalingrada 50
phone/fax: +380 612 64-19-72

mg-f...@grant.org

unread,
Jun 21, 2002, 4:10:01 AM6/21/02
to
On Thu, 20 Jun 2002, Michael Grant wrote:

> Alexander V Zubchenko wrote:
> On Thu, 20 Jun 2002, Michael Grant wrote:
> > Can someone please tell me what the recommended way to set up an
> > account such that the user can only ftp and scp to a chrooted
> > directory? (i.e. no login shell).
> >
> Here it is (imho, of course):
> 1. Create user with shell like /bin/date or something like this (You
> may want to add this command to /etc/shells).
> 2. Allow this user access to desired services.
>
> Hope this help. If You need additional info on getting access to
> ftp/scp, don't hesitage and mail me.

First, there's a typo in the subject line, I meant scp, not ssh.

I discovered that can if I use /etc/passwd as the shell, then if the
user wants to change their password, they try to log in and they're
presented with a password change prompt and immediatly logged out.

Your solution doesn't work for scp, only for ftp. And furthermore,
it's not chrooted. It also allows a person to log in and read mail
via pop or imap. There doesn't seem to be one place which controls
access.

To chroot ftp, you simply add the username to /etc/ftpchroot. There's
some patches to apply to openssh to get it to chroot. I suppose if I
run the following script as root, I could use the chroot command
before calling scp. Sounds dangerous though.

Here is a partial solution, set your shell using the following script:

#!/bin/sh -p
#
# filesonly by Michael Grant
#

# no -c option, offer to change passwd
if [ "$1" != '-c' ]; then
echo "You may only change your password or hit return to exit"
/usr/bin/passwd
echo "You may only scp or ftp with this account."
exit
fi

# $2 contains command to exec, split it into args
set $2

# Verify if the command is scp
if [ \( "$1" = 'scp' \) -a \( "$2" = '-t' \) -o \( "$2" = '-f' \) ]; then
# Exec scp directly so there can be no mistake
exec /usr/bin/scp $2 $3
exit
fi

# Verify if it's the sftp command
if [ \( "$1" = '/usr/libexec/sftp-server' \) -o \( "$1" = sftp-server \) ]; then
exec /usr/libexec/sftp-server
exit
fi

echo "Command not found."
exit

Danov...@danovitsch.dnsq.org

unread,
Jun 21, 2002, 12:58:24 PM6/21/02
to
On Thursday 20 June 2002 22:17, you wrote:
> Can someone please tell me what the recommended way to set up an
> account such that the user can only ftp and scp to a chrooted
> directory? (i.e. no login shell).
I don't know about scp, but I can tell you how I handle "ftp only" users...

I created a group for all people who only need to have ftp-access to my
machines (group: ftpusers).
After that I created a fake shell something like this :
---- cut here
#!/bin/sh
echo "You are not allowed to login..."
echo "bye now."
---- end
(Put this script in /usr/local/bin/fakelogin or whereever)
Then add this script to /etc/shells, since ftpd only allows users with a
valid shell.

Add users to the "ftpusers" group and give them the fakelogin shell.

Now there's only one thing left to do : tell ftp to chroot when a ftpuser
logs in.
You can do this by simply adding "@ftpusers" on a line by itself (without the
quotes) to the /etc/ftpchroot file.

And here you go, all users in "ftpusers" are chroot-ed into their home-dirs
when they log in.
(Note this won't take your scp problems away, but it's a start)

grtz,
Daan
--
Control the lights in my room:
http://www.Danovitsch.dnsq.org/webcam

Moo,
]:8)

0 new messages