3

Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)

Using openssh-server to allow sftp connexions.

I'm trying to limit users to their own personal home directory. So i modified /etc/passwd setting user "john" to use /bin/rbash instead of /bin/bash

john:502:503::/home/john:/bin/rbash

If i do that, john cannot connect via sftp: the connexion closes as soon as he logs in (sftp message is Connection closed) . If i set the bash to /bin/bash instead, his connexion works fine, but then, john can travel all over the server file system using cd.

Can you explain what am I doing wrong in order to limit users connecting via sftp to their own directory?

pixeline
  • 658
  • 3
  • 13
  • 29
  • Is `/bin/rbash` included in `/etc/shells`? – Jenny D Feb 26 '14 at 10:37
  • no, it is not. I created it using a symlink to /etc/bash. – pixeline Feb 26 '14 at 10:40
  • I've added it to the shells file. Reloaded sshd. Connexion still closes. – pixeline Feb 26 '14 at 10:42
  • What does the ssh log show? – Jenny D Feb 26 '14 at 10:43
  • `Feb 26 11:41:08 sshd[10401]: pam_unix(sshd:session): session opened for user john by (uid=0) Feb 26 11:41:08 sshd[10401]: pam_unix(sshd:session): session closed for user john` – pixeline Feb 26 '14 at 10:52
  • 1
    I found another question which contains complete instructions for how to chroot in sftp. Could you look at http://serverfault.com/questions/497011/sftp-user-cant-edit-or-create-files - if it is what you need, then I'd like to close this question as a duplicate – Jenny D Feb 26 '14 at 10:59
  • Thank you. If i understand that question's answer, it's not using openssh-server. I have to see the implications of switching to internal-sftp. I'll get back to you in a short while. – pixeline Feb 26 '14 at 11:31
  • Thank you, it helped. The proposed answer by mr.spuratic did provide a working solution that i found clearer. – pixeline Feb 26 '14 at 11:42

2 Answers2

1

rbash won't let you run commands with a leading /, if that's being attempted then it will simply exit.

Unless you're using the internal sftp-server, an attempt to exec /usr/libexec/sftp-server will fail.

Using Subsystem sftp internal-sftp in the sshd_config will fix that.

However, using rbash won't stop sftp from wandering around your filesystem, you probably want to chroot the users instead.

Community
  • 1
mr.spuratic
  • 3,430
  • 20
  • 14
0

you can use the normal shell without the link, for restrited shell, in /etc/profile put this

 if [[ $USER == "pluto" ]]; then
      export PATH=$HOME/bin
      readonly PATH
      set -r
 fi

and

mkdir /home/pluto/bin as root
ln -s /bin/ls /home/pluto/bin/ls

In this way sftp work and pluto can only use the ls command

c4f4t0r
  • 5,301
  • 3
  • 31
  • 42