Security Basics mailing list archives

Re: Locking down a user

From: Joerg Over Dexia <over () dexia de>
Date: Thu, 26 Jun 2003 17:46:19 +0200

Hi there..

Am 14:17 25.06.2003 -0400 teilte Steve McKinney mir folgendes
mit:
->I need to lock down a useer so that they can only ssh in for
scp 
->puposes and stay in a certain directory.  I've looked around
with google, 
->but I can't find what I'm looking for.  Can someone point me
the right 
->direction, maybe a tutorial that they have found useful?

Well, I'd say first thing would be to stop tcp forwarding ( e.g.
AllowTcpForwarding=no in sshd_config for Openssh). This is mostly
not possible on a per-user-base, so you have to turn that off for
everybody.

Another thing to do might be chrooting sshd, this is usually
nontrivial and depending on OS, Platform, ssh version and vendor,
which you all don't specify.

I'm using (Linux) an account with only . in the path, links to
the executables the user is allowed to use, rbash as shell. Files
(.profile, links) in $HOME generally not writable.
There are a couple of ways around the rbash restrictions (scp'ing
a sh, chmod, execute), which can further be hindered by umask,
restricting chmod etc. There might very well be an easier or more
sophisticated way than the ones I thought about, I didn't search
very much for Info on that. (I'm not trying to contain hackers,
I'm merely padding a soft cell.)

Generally, I'd recommend "SSH, The Secure Shell: The Definitive
Guide" by O'Reilly; I'm not through with it yet, but there are
supposed to be some parts about restricting ssh users which most
certainly have info better than all I can give at the moment.

http://www.amazon.com/exec/obidos/tg/detail/-/0596000111/qid=10566
41374/sr=8-1/ref=sr_8_1/102-4422503-0516133?v=glance&s=books&n=507
846


Safest solution should be a BSD jail.

hth, jo

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Locking down a user Steve McKinney (Jun 25)
- Re: Locking down a user Jason K. Boykin (Jun 26)
- Re: Locking down a user Devdas Bhagat (Jun 26)
- <Possible follow-ups>
- Re: Locking down a user Joerg Over Dexia (Jun 26)
- RE: Locking down a user Steve McKinney (Jun 27)
  - Re: Locking down a user N407ER (Jun 30)