|
|
(One intermediate revision by the same user not shown) |
Line 1: |
Line 1: |
| {{stub}}
| | #redirect [[SSH - SSH jails]] |
| | |
| | |
| I like to give partial access to some people. However, ''without'' a user account there's little you can do securely over the net (other than e.g. VPN-share samba, which is fairly easy with Hamachi), and ''with'' a user account you have read right as other all over the place through <tt>group</tt> and <tt>other</tt>. Now it's true you can lock down many things, but it may be more bothersome than other alternatives.
| |
| | |
| | |
| ==scp jail==
| |
| If you only want to isolate file copying, you can use [http://sublimation.org/scponly/wiki/index.php/Main_Page scponly]/[http://tjw.org/scpjailer/ scpjailer] or [http://www.pizzashack.org/rssh/ rssh]. The idea here is to set up a jail, but not give you an actual shell to interact with. You can only use scp and sftp, and then only inside the given jail.
| |
| | |
| This is a single account that has its own jail, so you can hand out this password to people and use it as a an isolated file exchange thing safe from nosy people.
| |
| | |
| | |
| ==Setting up a chroot jail for (SSH) logins==
| |
| If you want an actual login, the idea seems to be to let the wrap your shell in a script that jails said shell. This way you get authentication as usual, but when your actual shell starts the jail applies.
| |
| | |
| See also [[chroot]]
| |
| | |
| | |
| <!--
| |
| useradd -d /tmp -s /bin/chroot-shell ajaileduser
| |
| | |
| One way of doing this is:
| |
| # regular SSH login,
| |
| # which then executes the shell wrapper you have set in /etc/passwd:
| |
| ## shell wrapper does {{inlinecode|sudo chroot $HOME su $USER}}:
| |
| ### sudo because only root can chroot
| |
| ### the user's homedir becomes the jail root
| |
| ### su: switch to user; implies running a shell for them
| |
| -->
| |
| | |
| [[Category:Security and privacy]]
| |