I can't make this this way...
Can you explain me how I can chroot ssh users to his home directory? And allow sftp chrooted to their home folder.
And if I make this, they can execute scripts and servers?
5 Cups of Ubuntu
I can't make this this way...
Can you explain me how I can chroot ssh users to his home directory? And allow sftp chrooted to their home folder.
And if I make this, they can execute scripts and servers?
Ubuntu Member
There is one trouble with chrooting users to their home directories, the chroot target has to be owned by root and not writable by anyone else. So if you have fairly static content in the home directories, you can do that and still leave all the files and subdirectories under the ownership of the user. Otherwise, if you can't chown the home directories you can still point them to /home instead.
So if you can chown the home directory to root, then you could do it like this:
%h gets substituted with the actual home directory of the user logging in.Code:Subsystem sftp internal-sftp Match Group users ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Otherwise, you can point them to /home and them have them cd to their directory.
Code:Subsystem sftp internal-sftp Match Group users ChrootDirectory /home AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
Last edited by Lars Noodén; May 26th, 2013 at 07:20 PM.
5 Cups of Ubuntu
Ok, but how i can allow ssh connection?
And if they are chroot they can acess the linux system folders and things like that to execute the game server on that account?
Ubuntu Member
The interactive SSH connection is harder to chroot, even if SFTP is easy. If you want to allow interactive login to a chrooted directory, you need to include at least a shell (e.g. bash) and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. It requires a bit of setting up, then they can only access the files and programs within the chroot. What are you trying to arrange?
5 Cups of Ubuntu
I have a VPS when I need to create 2 users, one for minecraft other for SAMP. (2 different games)
Each account will have a folder with the game files inside.
Now the Minecraft guy needs to acess via FTP the account minecraft to update files and needs SSH to execute the scripts in order to start the server.
The same for SAMP guy.
But I want to block acess outside each ubuntu account (Minecraft/SAMP). Only give access to his home folder.
I'm working on this 3 days and I can't solve the situation :s
5 Cups of Ubuntu
If i block SSH to an ip SFTP will be blocked to that ip too?
Ubuntu Member
I was at first thinking changing their shells to /bin/rbash and doing some tricks with the $PATH but after doing a little experimenting, it might be doable with restricted keys. They need to run SFTP and one script, right?
If that is the case, you can make two keys for each user, one to run SFTP one to run a script. If you have several scripts, you need one key per script. Make two or more keys (using strong passphrases) for each user, then make sure they can log in with those keys. Once that is in place, log into the server and edit their ~/.ssh/authorized_keys files on the server and prepend forced commands to each key. One command will be for the script the other will be to force sftp.
Then on the client workstation the script can be launched like this:Code:command="/usr/local/bin/somescript" ssh-rsa AAAAB3NzaC1yc2EAAAA.... command="/usr/lib/openssh/sftp-server" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCi+k1d0agqW...
And sftp launched like this (of several ways).Code:ssh -i ~/.ssh/script_rsa_key user@server.example.org
Code:sftp -i ~/.ssh/sftp_rsa_key user@server.example.org
Ubuntu Member
If you block SSH with iptables (firewall) then SFTP will be blocked, too. If you want only SFTP but not SSH , see the trick above.Originally Posted by Di0g0
5 Cups of Ubuntu
Here the client put this? Putty? ssh -i ~/.ssh/script_rsa_key user@server.example.org
Ya they only need to run a file to start the server ahhh an another to stop the serve, in the SAMP case the only way to stop the server is killing the PID :s
Ubuntu Member
PuTTY should do everything you need as far as connecting goes, but I haven't used it on Linux. Is there an Ubuntu version?
I would try to set everything up from Linux first and then load the keys into PuTTY. Here's one tutorial how:
http://www.howtoforge.com/ssh_key_based_logins_putty
But it will only work after you have the keys ready.
Posting Permissions
Adv Reply
Bookmarks