[KLUG Members] ssh lock a user in a single directory

Richard Harding members@kalamazoolinux.org
Mon, 10 May 2004 11:06:20 -0400 

Adam Tauno Williams wrote:

>On Mon, 2004-05-10 at 10:05 -0400, Richard Harding wrote: 
>  
>
>>I have a user off site that has a web site subfolder they manage. I 
>>would like to have them use scp to upload/remove files. I have created 
>>them an account, but I am having trouble locking them in /var/www/subdir 
>>folder for all of their work. I found a way to chroot users that come in 
>>with sftp to their home directory, but I cannot seem to get it to work. 
>>The ChRootUsers is a bad command when I try to reload the ssh config. 
>>This also does not allow me to lock them into the selected directory.
>>Any ideas as to the best way of doing this?
>>    
>>
>
>Have you tried just doing this via PAM?
>
>/etc/pam.d/sshd:
>#%PAM-1.0
>auth required /lib/security/pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/login_limit_list.conf
>auth required /lib/security/pam_securetty.so
>auth required /lib/security/pam_stack.so service=system-auth
>auth required /lib/security/pam_pwdb.so shadow
>auth required /lib/security/pam_nologin.so
>account required /lib/security/pam_stack.so service=system-auth
>password required /lib/security/pam_stack.so service=system-auth
>session required /lib/security/pam_stack.so service=system-auth
>session required /lib/security/pam_chroot.so debug
>session optional /lib/security/pam_console.so
>
>/etc/security/chroot.conf:
># format:
># username_regex        chroot_dir
>brown			/home/brown
>
>_______________________________________________
>Members mailing list
>Members@kalamazoolinux.org
>
>  
>
I don't have the same pam_xxx.so you have. I cannot find a pam_chroot.so 
and such.

Here is what my pam file for ssh looks like:
#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_unix.so
auth       required     pam_env.so # [1]

account    required     pam_unix.so

session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so