[nycbug-talk] virtual users and ftp/scp/rsync-ssh

Pete Wright pete
Wed Jun 2 14:25:14 EDT 2004

George Georgalis wrote:

>On Wed, Jun 02, 2004 at 12:13:46PM -0400, Pete Wright wrote:
>>just a question, why are you shying away from chroot'ing each of these 
>>users?  you can set up each jail with access only to rsync/scp/sftp etc. 
>>and the respective config files.  as i found with the proftp jail's, 
>>it's not as hard as it seems.  it just takes a bit of planning, but once 
>>you figure out what each user needs things should be ok.  new jails can 
>>even be automated with a scripting lang as well.  i do know that whith 
>>jailed ssh sessions there are issues with running programs like "w" and 
>>"ps", altho it doesn't seem like you need interactive logins....
>Sounds like a nice way to go. I've only used commercial "chroot hosting
>solutions" (ensim) and packages that implement them for me, like djbdns.
>I've been meaning to go through a chroot apache howto but it has gotten
>bumped for 6+ months. Any links for setting up a chroot like you
>describe would be welcome, I need to read up on the process.
>A non-login chroot for each user that allows transfer protocols
>would fit the bill, if it doesn't require system accounts (they would
>disrupt some portability that's in place), so I'm back to my original
>question of services based on a user/auth cdb and checkpassword.
this is what i accomplished using proftpd-mysql.  all user info stored 
in the DB (username/pass/uid/gid/homedir), and each child ftp daemon is 
spawned in a jail, so even if some is able to own the ftp daemon it is 
confinded to the jail.  another nice feature of proftpd is what home 
dirs will be created dynamicly.  but i digress.  as for other services 
(rsync...) it might be worth checking out PAM, there may be auth modules 
out there that have what you are looking for.  i know of imap auth-db 
PAM modules for example, i'm not too sure about rsync/ssh tho.

    i think the second link i posted is a good starting place for 
FreeBSD.  OpenBSD also makes heavy use of jails.  I do not have any 
direct links right now, only the mans ;)  maybe someone else on the list 
knows of a good howto or something...

>BTW - is there a way to give cvs access but no login shell and no
this i don't know, altho i assume it should be pretty trvial.



More information about the talk mailing list