Difference between revisions of "Scponly"

From ArchWiki
Jump to: navigation, search
m (Do not use -Sy when installing packages)
(Adding a chroot jail)
Line 20: Line 20:
 
==Adding a chroot jail==
 
==Adding a chroot jail==
  
Note: The Arch package seems to be missing some files required for automating this process.  The steps I following on a Debian box:
+
* Create chroot
 
+
  # cd /usr/share/doc/scponly/
  $ cd /usr/share/doc/scponly/setup_chroot
+
  # ./setup_chroot.sh  
  # gunzip setup_chroot.sh.gz
+
* Provide answers
# chmod +x setup_chroot.sh
+
* Check that /path/to/chroot has root:root owner and r-x for others
# ./setup_chroot.sh
+
* Change shell for selected user to /usr/sbin/scponlyc
 +
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's /lib

Revision as of 16:13, 3 May 2011

Introduction

Scponly is a limited shell for allowing users scp/sftp access and only scp/sftp access to your box. Additionally, you can setup scponly to chroot the user into a particular directory increasing the level of security.

Installation

Prerequisites

This guide assumes that you have sshd installed, configured, and running.

Setup

Scponly resides in [community] and can be installed like any other package:

# pacman -S scponly

If you have a user already created, simply set the user's shell to scponly

# usermod -s /usr/bin/scponly username

That's it. Go ahead and test it using your favorite sftp client.

Adding a chroot jail

  • Create chroot
# cd /usr/share/doc/scponly/
# ./setup_chroot.sh 
  • Provide answers
  • Check that /path/to/chroot has root:root owner and r-x for others
  • Change shell for selected user to /usr/sbin/scponlyc
  • sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's /lib