[TriLUG] restricting access to webserver
Justis Peters
jtrilug at indythinker.com
Sat Feb 2 17:04:25 EST 2008
Alan Porter wrote:
> > I need to give access via scp to a friend/user of my webserver.
> > I wish to restrict him to a specific directory ( not
> > necessarily a home/user directory). The user doesn't need
> > ssh capability. He just needs to upload to, and/or download
> > files from the specific directory.
>
> This sounds like you'll want a "chroot jail for ssh". This
> basically sets up a chroot with nothing in it except what's
> required for sshd to run, and the home directory.
>
> See http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
> or Google for "ssh chroot jail".
>
In addition the chroot jail, which looks like a very worthy and secure
solution, you might consider using the "authorized_keys" file. You can
limit which commands can be run by which key. Each line has a set of
options and a public key. Here's a portion of the man page for sshd.
See the section titled "AUTHORIZED_KEYS FILE FORMAT" for more information:
command="command"
Specifies that the command is executed whenever this key is
used for authentication. The command
supplied by the user (if any) is ignored. The command is
run on a pty if the client requests a
pty; otherwise it is run without a tty. If an 8-bit clean
channel is required, one must not
request a pty or should specify no-pty. A quote may be
included in the command by quoting it with
a backslash. This option might be useful to restrict
certain public keys to perform just a speâ
cific operation. An example might be a key that permits
remote backups but nothing else. Note
that the client may specify TCP/IP and/or X11 forwarding
unless they are explicitly prohibited.
Note that this option applies to shell, command or
subsystem execution.
You might also look at other options to tighten it down, such as:
from="pattern-list"
no-port-forwarding
no-X11-forwarding
no-agent-forwarding
no-pty
The chroot jail is certainly more secure, but this method is pretty
good. It's at least good enough for giving your buddy access to SCP
files to and from your webserver. Just make sure you get the file
permissions and user groups correct, or the SCP access itself is a
liability. That's what the chroot jail is supposed to solve, though. I
just thought I'd offer up the quick and easy way to do this with sshd as
it is.
Kind regards,
Justis Peters
More information about the TriLUG
mailing list