[nycbug-talk] virtual users and ftp/scp/rsync-ssh
pete at nomadlogic.org
Wed Jun 2 14:25:14 EDT 2004
George Georgalis wrote:
>On Wed, Jun 02, 2004 at 12:13:46PM -0400, Pete Wright wrote:
>>just a question, why are you shying away from chroot'ing each of these
>>users? you can set up each jail with access only to rsync/scp/sftp etc.
>>and the respective config files. as i found with the proftp jail's,
>>it's not as hard as it seems. it just takes a bit of planning, but once
>>you figure out what each user needs things should be ok. new jails can
>>even be automated with a scripting lang as well. i do know that whith
>>jailed ssh sessions there are issues with running programs like "w" and
>>"ps", altho it doesn't seem like you need interactive logins....
>Sounds like a nice way to go. I've only used commercial "chroot hosting
>solutions" (ensim) and packages that implement them for me, like djbdns.
>I've been meaning to go through a chroot apache howto but it has gotten
>bumped for 6+ months. Any links for setting up a chroot like you
>describe would be welcome, I need to read up on the process.
>A non-login chroot for each user that allows transfer protocols
>would fit the bill, if it doesn't require system accounts (they would
>disrupt some portability that's in place), so I'm back to my original
>question of services based on a user/auth cdb and checkpassword.
this is what i accomplished using proftpd-mysql. all user info stored
in the DB (username/pass/uid/gid/homedir), and each child ftp daemon is
spawned in a jail, so even if some is able to own the ftp daemon it is
confinded to the jail. another nice feature of proftpd is what home
dirs will be created dynamicly. but i digress. as for other services
(rsync...) it might be worth checking out PAM, there may be auth modules
out there that have what you are looking for. i know of imap auth-db
PAM modules for example, i'm not too sure about rsync/ssh tho.
i think the second link i posted is a good starting place for
FreeBSD. OpenBSD also makes heavy use of jails. I do not have any
direct links right now, only the mans ;) maybe someone else on the list
knows of a good howto or something...
>BTW - is there a way to give cvs access but no login shell and no
this i don't know, altho i assume it should be pretty trvial.
More information about the talk