[nycbug-talk] virtual users and ftp/scp/rsync-ssh

[George Georgalis]

On Wed, Jun 02, 2004 at 12:13:46PM -0400, Pete Wright wrote:
>George Georgalis wrote:
>
>>On Wed, Jun 02, 2004 at 10:47:53AM -0400, Bob Ippolito wrote:
>> 
>>
>>I tend to stick with 'traditional' installations, for a variety
>>of reasons.  Trying twistedmatrix would cause a variety of site
>>technical/political issues, besides the extra time to learn it...
>>
>>
>> 
>>
>just a question, why are you shying away from chroot'ing each of these 
>users?  you can set up each jail with access only to rsync/scp/sftp etc. 
>and the respective config files.  as i found with the proftp jail's, 
>it's not as hard as it seems.  it just takes a bit of planning, but once 
>you figure out what each user needs things should be ok.  new jails can 
>even be automated with a scripting lang as well.  i do know that whith 
>jailed ssh sessions there are issues with running programs like "w" and 
>"ps", altho it doesn't seem like you need interactive logins....

Sounds like a nice way to go. I've only used commercial "chroot hosting
solutions" (ensim) and packages that implement them for me, like djbdns.
I've been meaning to go through a chroot apache howto but it has gotten
bumped for 6+ months. Any links for setting up a chroot like you
describe would be welcome, I need to read up on the process.

A non-login chroot for each user that allows transfer protocols
would fit the bill, if it doesn't require system accounts (they would
disrupt some portability that's in place), so I'm back to my original
question of services based on a user/auth cdb and checkpassword.

BTW - is there a way to give cvs access but no login shell and no
pserver? 

// George


-- 
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/  cell:646-331-2027  mailto:george at galis.org
Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631