[plug] Restricting users access
Craig Ringer
craig at postnewspapers.com.au
Mon Nov 4 17:12:20 WST 2002
Ben Jensz wrote:
> Chris Griffin wrote:
>
> > Greetings Folks,
> >
> > If I have created a user account, say Fred, whose home directory
> > resides in /home/Fred.
> > How can I restrict his logon so that he can only connect via sftp (I
> > am running RedHat and openssh) and he can only access his home
> > directory area? NO SSH.
> > No ssh may not be possible, but I at least need to tie him down to
> > only being able to access his home directory and nothing else.
>
> User shell = /bin/false (or anything really that doesn't exist)
I seem to remember that won't do the full trick. Can't remember exactly
whether it results in access anyway or breaks sftp and ssh portfw too.
Anyway, you can put some restrictions in the authorized_hosts key file,
here's an example from work:
command="/bin/false",no-agent-forwarding,no-X11-forwarding,no-pty
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAoDc0/pUVDZMM5LMDPTvqiH4l0U6290Y+J20rYJQKpBeAquV8ZlKNg+lC1qSKrwpy0dZIfcz9qliiL3OAQh7dKjpBXtgEVnmQgMpJB28ZRPV8Eyr9QSCUg11IFizDypsCOPBshmMFlYzlTqSU9J2DqeKMlM6fgt5SSGUHjp2+e4s=
craig at albert
(thats all on one line in the real file).
Hope this is somewhat useful info at least.
Oh as for the homedir-only thing, having "bash -r" as the login shell
would help (restricted shells suck, badly, but do the job) but such
access controls can only really be done with permissions and only
_properly_ with a chrooted environment.
Craig Ringer
More information about the plug
mailing list