Restrict SFTP/SSH users to home directory

[nvoth]

Hello folks,

I have been searching high and low for a way to restrict SSH/SFTP users to their own home directory. On may sites I've researched, creating a chroot jail keeps coming up, but it seems fairly complicated. I just need basic SFTP functionality for our users. Worst case, we would like to enable SCP for them, but we have no desire to have a fully interactive SSH session going for them. This is strictly for file transfer and file/directory management.

I have used one of the hints suggested on this site to restrict SFTP users so that they don't have full use of SSH by making their shell point to the SFTP-Server binary. That works fine, but SFTP users can still cruise all over our directory structure.

Any ideas how to trap them in their home? We're running the latest versions of Mac OS X Server.

Thanks very much!

-Nick Voth

[yellow]

I've looked too, and found nothing. I think chroot only works for FTP.

[nvoth]

Thanks "yellow". I'm finding the same thing. I did try the "scponly" application that folks keep talking about. It says it will work with FreeBSD so I figured it would be worth a shot. NOPE, it doesn't "make" and gives out a bunch of errors based on makefile configurations I'm not familiar with.

Anyone else?????

Thanks,

-Nick

Quote: Originally posted by yellow I've looked too, and found nothing. I think chroot only works for FTP.

[gatorparrots]

Chrooting is one area where regular FTP excels over the far newer SFTP. This is why there is still widespread support for FTP daemons: the far richer feature set of available with modern FTP daemons (quotas, throttling, chroot, virtual users). Note also the big push to add SSL encryption to regular FTP (ProFTPd, pure-ftpd) in order to keep the protocol viable in the current regime.

However, it is possible to create an SFTP jail. It largely just requires giving the users their own set of executables (i.e. a subset of encryption and filesystem binaries):
http://www.tjw.org/chroot-login-HOWTO/

[nvoth]

Sounds like I might be better served looking for an SSL solution since we are already running ProFTPd.

Thanks!

-Nick

Quote: Originally posted by gatorparrots Chrooting is one area where regular FTP excels over the far newer SFTP. This is why there is still widespread support for FTP daemons: the far richer feature set of available with modern FTP daemons (quotas, throttling, chroot, virtual users). Note also the big push to add SSL encryption to regular FTP (ProFTPd, pure-ftpd) in order to keep the protocol viable in the current regime. However, it is possible to create an SFTP jail. It largely just requires giving the users their own set of executables (i.e. a subset of encryption and filesystem binaries): http://www.tjw.org/chroot-login-HOWTO/

[gatorparrots]

Note that most SSL-based FTP encryption solutions only encrypt the control connection, so only the passwords, commands, and filenames are encrypted during transit. The actual file contents are still passed over insecure means.

[Skiz0]

I have tried to do like the HOWTO says, but the su command respond always: sorry

At the beggining, when launching the su start, I had a pam error, then I have copied all my /etc/ to /Users/chrootedJailUsers/etc, then the pam error has disaperead, but now I have the error: sorry. Like It wasn't able to connect (like a wrong password).

Anyone here have correctly make this howto works on os x ?

I am really interrested in it ...

Thanks

[yellow]

Breen just posted this on another thread:
http://www.coding-zone.com/chroot-sftp.phtml

[t_hah]

Has anyone found a way to restrict directory access with OSX's sftp?

Thanks,

t

[nvoth]

Unfortunately, I have not. I've resorted to changing the permissions on areas that I don't want folks getting in to. Likewise, I've been trying to push regular FTP just because it is so much easier to restrict the users movements.

sorry,

-Nick Voth

Quote: Originally posted by t_hah Has anyone found a way to restrict directory access with OSX's sftp? Thanks, t

[schwie]

This might be the holy grail for chrooting sftp users in OS X. Someone has typed out the instructions for what you should do in the terminal, line by line:

http://homepage.mac.com/proc/osx/chroot-sftp.html

Has anyone tried this? I really want to give it a whirl, but I'll have to try it on my development box first.

[JLooney]

I am using the default FTP server that came with Server 10.3. Here is how I chroot my users:

1. Use the Server Admin utility to connect to your server.
2. In the "Computers & Services" column, click "FTP"
3. At the bottom of the screen on the right, click "Settings"
4. Then, at the top right, click "Advanced"
5. Here, set "Authenticated Users see:" to "Home Directory Only"

This will keep them confined to their Home dir.
If you want them to have only FTP access and no shell access, then in WorkGroupl Manager utility, under Accounts, click the user name in the left column. Then when the right column refreshes, click Advanced and set their Login Shell to be /sbin/nologin.

That's it. The user will now have FTP access to their Home only and will not be able to login via ssh or Telnet.

[griffman]

The discussion here is relative to sftp, not regular FTP. sftp is a command-line secure FTP application...

-rob.

[schwie]

For those interested, I re-wrote procman's page in a little better english and refined some steps that were causing problems before. If you follow these step by step directions, you should be able to chroot sftp in Mac OS X Panther.

http://www.schwie.com/brad/macosxsftpchroot/

[mosx86]

Quote: Originally Posted by nvoth Hello folks, I have been searching high and low for a way to restrict SSH/SFTP users to their own home directory. On may sites I've researched, creating a chroot jail keeps coming up, but it seems fairly complicated. I just need basic SFTP functionality for our users. Worst case, we would like to enable SCP for them, but we have no desire to have a fully interactive SSH session going for them. This is strictly for file transfer and file/directory management. I have used one of the hints suggested on this site to restrict SFTP users so that they don't have full use of SSH by making their shell point to the SFTP-Server binary. That works fine, but SFTP users can still cruise all over our directory structure. Any ideas how to trap them in their home? We're running the latest versions of Mac OS X Server. Thanks very much! -Nick Voth

Semi-tangental, but still on topic I think...Has anyone had any luck using FTP with Kerberos authentication? I keep getting "wrong principal" sent errors from my FTP client when connecting to our 10.4.9 server. The funny part is, I'm granted both host and ftp tickets from the KDC.

[yellow]

Quote: Originally Posted by mosx86 Semi-tangental, but still on topic I think...Has anyone had any luck using FTP with Kerberos authentication? I keep getting "wrong principal" sent errors from my FTP client when connecting to our 10.4.9 server. The funny part is, I'm granted both host and ftp tickets from the KDC.

I'd prefer that this was a new thread, as it really has nothing to do with their VERY old thread. SFTP is a subset of OpenSSH, not FTP.

I'd opt for System or OS X Server subforums for your question.

[mosx86]

Quote: Originally Posted by yellow I'd prefer that this was a new thread, as it really has nothing to do with their VERY old thread. SFTP is a subset of OpenSSH, not FTP. I'd opt for System or OS X Server subforums for your question.

Sure I'll repost... You can delete...

[RSt]

I followed Brad instructions although it was for 10.4.2 and my server is 10.4.11.

http://www.schwie.com/brad/macosxsftpchroot/

Now, I can't log in SFTP but FTP still work. That mean I can leave on the SSH access for administration and telnet purposes without leaving my server all open for my sftp users.

It would be real nice if someone could tweak theses instructions to work with 10.4.11 and I believe with 10.5.x also.

[ThePromenader]

I am having exactly the same problem with xServe in Leopard 10.5.x. Has anyone found a solution?

Best,

Sefu.

[RSt]

I'm still using Mac OS X 10.4 Tiger server but I finally found how to restrict sftp access. I was never able to chroot sftp users but to stop sftp access. But I found myself closing my ssh door if anything goes bad.

So I found a way to permit ssh and sftp only for certain users and groups. In the Server Admin > Settings > Access, you have the SSH service on the left and users and groups on the right.

Voilą!