Help! Need to stop SSH users snooping around

feenster99 · 24 May 2007 at 12:50

Hi all,
I've got a server that is receiving data from various users outside my network via SSH (using Rsync). Each user is setup on my server, with their shell pointing to /bin/bash. They are authenticated against the server via a public key when the data is sent. They can also login via FTP to view their data with their username and password.

To be extra safe, I want to ensure that a user couldn't log in with SSH and look at the other folders/users on the server. If they could be locked into their home directory, that would be ideal. If not, is there another obvious way to handle this so User-A can't even see User-B's files?

Cheers,
Matt

feenster99 · 24 May 2007 at 15:03

Hi Chaps,
I could do the permissions thing to only allow user and group access (I guess I Umask any files through SSH?), but users would still be able snoop around see what folders are on there couldn't they? My folder structure is a bit like this:

Code:

/Users
        /UserA
                 /Data
        /UserB
                 /Data

....etc. So would appropriate permissions stop them even seeing that a /Users/UserB folder existing by doing an ls -l? Each user has their own group by the way, the same as their username.

I have FTP chroot'ed nicely - I understand why it's not quite as easy to achieve with SSH, but surely, i'm not asking for anything unusual am I?

Matt

feenster99 · 24 May 2007 at 19:47

I've spent a couple of hours Googling today, and can't find a definitive answer. There seems to be numerous ways to do it, but they all look fairly complex. I was rather hoping for something I could install through apt-get, and then just tweak a config file - i'm still fairly new to Linux, so it's proving a bit tricky for me to workout a way through it.

Matt

feenster99 · 24 May 2007 at 21:50

I couldn't find anything today when i looked through. The closest thing i can find is Jailkit. There's a tutorial for it here:
http://ubuntuforums.org/showthread.php?t=248724

It looks fairly easy to setup - still not brilliant, but the best i've come across thus far.

Matt

feenster99 · 25 May 2007 at 07:59

Hi,
I will change the permissions then, sounds like a good start.

However, the more I read and think about, the more I see my situation is different, and that I may not even need to allow people SSH access at all. The only reason they have SSH access at the moment, is to send data via Rsync through the Internet (using the --rsh="ssh -p xx" command. I wonder if I could achieve the same thing by setting up the Rsync daemon to receive data? Does that sound like a better solution? I could then give my users a null shell so they couldn't login.

Matt

feenster99 · 28 May 2007 at 16:35

MikeTimbers said:
Set their shell to /bin/false. They would then be able to send the data but not login.

Ah i seem to remember trying that originally, but came across problems sending data or viewing FTP. Perhaps I set it to /dev/null instead, can't remember.

I'll try it out this week and post back

Matt

feenster99 · 31 May 2007 at 21:04

Hi Firebar,
Thanks for your info. I'm using Ubuntu at the moment, and am quite happy with it. I'll look into Suse and AppArmor though

Matt