LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: chroot SSH users on SL5
From:	John Summerfield <[log in to unmask]>
Reply To:	John Summerfield <[log in to unmask]>
Date:	Thu, 5 Mar 2009 11:58:27 +0900
Content-Type:	text/plain
Parts/Attachments:	text/plain (73 lines)

Michael Mansour wrote:
> Hi,
> 
>> Why, what is your threat model that you have to do this?
> 
> Thanks for your reply. Basically, we're managing the infrastructure for a
> client, but not the (web) apps. 
> 
> The client has insisted his developers need SSH access. After quite some
> discussion, we provided it.
> 
> The client has multiple developers and himself hosts for different clients, so
> multiple SSH accounts are being provided to multiple developers.
> 
> They really only need access to their home directories, they don't need access
> to the main server filesystem etc.
> 
> The new OpenSSH version makes this easier than other chroot hacks I've seen,
> in that it uses sftp libraries to provide the chroot'ed ssh environment. So no
> need to copy all libraries for each ssh command that is needed to be used in
> the environment and then having an upgrade headache when OpenSSH needs to be
> updated.
> 
> Regards,
> 
> Michael.
> 
>> Michael Mansour wrote:
>>> Hi,
>>>
>>> I'm looking for a way to setup the chroot for SSH users, into their home
>>> directories.
>>>
>>> Do people do this with SL5?
>>>
>>> I've looked at the latest OpenSSH which does do this, but requires separate
>>> compilation. I'd rather try and find pre-built RPM's of the latest OpenSSH.
>>>
>>> Any advice is appreciated.
>>>
>>> Michael.

Is one or more VMs an option? Their home directories could be mounted 
via nfs.

Basing the vm off a live CD or even systemrescuecd (I've used that 
recently, it's "different" but can be bent into shape) would give you a 
system they cannot change. Systemrescuecd can be booted entirely into 
RAM with less than half a gig.

It's easily customised at boot time, I created a bootable USB disk. One 
or more scripts in / of the USB disk is all you need to do that.

It includes ssh, nfs (and lots of other stuff you don't need for this, 
so  it could maybe be pruned further). It's pretty handy for deploying 
Windows.



-- 

Cheers
John

-- spambait
[log in to unmask]  [log in to unmask]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV