I run an ssh server on my machine and I restrict access to certain users to sftp only with internal-sftp & ChrootDirectory. What I need is a way to execute a script before chrooting users. Actually, the goal is to mount an encrypted filesystem on client connection and unmount it on close. Thx in advance.
Asked
Active
Viewed 8,181 times
2 Answers
5
If you don't want to hack the openssh code you have to use the external sftp server. If you do it is a simple matter of putting a wrapper around it. For example: in sshd_config
Subsystem sftp /usr/local/bin/sftp-server
In /usr/local/bin/sftp-server:
#!/bin/sh
mount_special_fs
chroot /my/secret/stuff /usr/libexec/openssh/sftp-server
umount_special_fs
It might be possible to put a wrapper around sshd and launch the wrapper from inetd but launching sshd from inted is discouraged because it is to slow to start up.
Mark Wagner
- 18,019
- 2
- 32
- 47
-
I it possible to pass arguments to the wrapper with this method, because each user has a different filesystem ? – fokenrute Sep 26 '10 at 14:19
-
I quickly found the answer to me previous question in the sshd_config man, but i ran into another issue: how can I access variables such as current user and his home directory from within sshd_config ? I tried : Subsystem sftp /path/to/sftp-wrapper %u, but the wrapper receives the string %u instead of the current user name. – fokenrute Sep 26 '10 at 15:26
-
You can't use %u here. The script runs as the user so you can examine $USER. The approach is starting to seem a bit hackish to me. – Mark Wagner Sep 27 '10 at 17:09
1
You can also use pam_script, a pam module to execute script from a pam authentication module. You can add it in your pam sshd configuration. URL: http://linux.die.net/man/5/pam_script
NoNoNo
- 1,963
- 14
- 20