[TriLUG] restricting access to webserver

Justis Peters jtrilug at indythinker.com
Sat Feb 2 17:04:25 EST 2008 

Alan Porter wrote:
>  > I need to give access via scp to a friend/user of my webserver.
>  > I wish to restrict him to a specific directory ( not
>  > necessarily a home/user directory). The user doesn't need
>  > ssh capability. He just needs to upload to, and/or download
>  > files from the specific directory.
>
> This sounds like you'll want a "chroot jail for ssh".  This
> basically sets up a chroot with nothing in it except what's
> required for sshd to run, and the home directory.
>
> See http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/
> or Google for "ssh chroot jail".
>   
In addition the chroot jail, which looks like a very worthy and secure 
solution, you might consider using the "authorized_keys" file.  You can 
limit which commands can be run by which key.  Each line has a set of 
options and a public key.  Here's a portion of the man page for sshd.  
See the section titled "AUTHORIZED_KEYS FILE FORMAT" for more information:
     command="command"
             Specifies that the command is executed whenever this key is 
used for authentication.  The command
             supplied by the user (if any) is ignored.  The command is 
run on a pty if the client requests a
             pty; otherwise it is run without a tty.  If an 8-bit clean 
channel is required, one must not
             request a pty or should specify no-pty.  A quote may be 
included in the command by quoting it with
             a backslash.  This option might be useful to restrict 
certain public keys to perform just a speâ
             cific operation.  An example might be a key that permits 
remote backups but nothing else.  Note
             that the client may specify TCP/IP and/or X11 forwarding 
unless they are explicitly prohibited.
             Note that this option applies to shell, command or 
subsystem execution.

You might also look at other options to tighten it down, such as:
  from="pattern-list"
  no-port-forwarding
  no-X11-forwarding
  no-agent-forwarding
  no-pty

The chroot jail is certainly more secure, but this method is pretty 
good.  It's at least good enough for giving your buddy access to SCP
 files to and from your webserver.  Just make sure you get the file 
permissions and user groups correct, or the SCP access itself is a 
liability.  That's what the chroot jail is supposed to solve, though.  I 
just thought I'd offer up the quick and easy way to do this with sshd as 
it is.

Kind regards,
Justis Peters

More information about the TriLUG mailing list