SSH Jailing? Disable viewing of dot files/folders with SCP clients?
Gavin McCullagh
gmccullagh at gmail.com
Thu Aug 2 01:39:02 BST 2007
Hi,
On Wed, 01 Aug 2007, Jim Kronebusch wrote:
> But when I enable the use of ssh and connect with a client such as WinSCP
> (Windows) or Gftp (Linux) or Fugu (OSX) I can browse the entire server.
> So I googled ssh jail /home and all solutions I find recommend creating
> some sort of /jail directory and relocating /home inside it such as
> /jail/home/username or /home/jail/home/username. I don't really like the
> sound of that and don't fully understand what that could break in terms
> of LTSP and other apps.
If you're going to offer this to your thin client users, jailing in this
way will break their thin client experience in a big way. For example, all
of the programs they use live in /bin, /usr/bin, etc. If they can't ssh in
and see those programs, they basically can't have a session.
You may be able to run two instances of sshd, one for internal (thin
client) use and one for external access and only jail people coming in
externally. There is a blueprint approved for adding this functionality to
edubuntu, but it's not implemented yet as far as I know.
https://blueprints.launchpad.net/ltsp/+spec/dedicated-ltsp-sshd
> Does anyone know of a way to keep users from traversing out of /home with
> modification of sshd.conf or at least with an add-on that doesn't require
> messing with the standard layout of /home?
Only in very limited circumstances. If you want them to just be able to
scp it may work, but a thin client user must have access to the root.
scponly and it's relevant links might be of interest (again only for scp
only users):
http://sublimation.org/scponly/wiki/index.php/Main_Page
> Second minor problem is how to eliminate display of dot files when
> viewing with and SCP client. I would like to disable display of dot
> files on the server side to eliminate the need of client modifications.
I doubt there's a sensible way to do this. The dot files are there and
must be visible if the client asks to list "all" files. If the client asks
for "all" which it apparently does, then the client needs to be told not
to do that. If the server supressed the dot files, despite being asked for
them, many other things might go bang.
> I figure if they know enough to make a change to display the files, they
> must already know they exist, and would then likely understand their
> role/importance.
For this reason (and for tidiness), gnome supresses them by default -- but
I think you'd need to configure the scp client to do likewise.
Gavin
More information about the edubuntu-users
mailing list