> > I have a file server that has ssh on a public IP. We've been using > > SCP/FTPS > > over ssh to get to the server, but since it's sshd the users can see > > the > > entire file system. I have a yum repository at http://tcs.uj.edu.pl/~buildcentos/ which includes the centos ssh rebuilt with a tiny patch which makes sshd chroot on login if it sees a /./ in the users home directory. ie. setting a users home directory to /home/user/./home/user makes the sshd chroot into /home/user for the session. For this to be usable the /home/user chroot directory requires some basic libs, a shell, possibly /etc/passwd and /etc/shells maybe some others. As an example I have: [root at gaia ~]# cat /etc/passwd | grep jail jail:x:1000:1000:Jail SSH Port Forwarding Receiver:/home/jail/./:/sbin/nologin [root at gaia ~]# ls -laR /home/jail /home/jail: total 56 drwx------ 6 jail jail 4096 Jul 4 23:55 . drwxr-xr-x 8 root root 4096 Jul 25 00:22 .. drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 etc drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 lib -rw-r--r-- 1 jail jail 319 Jul 4 23:55 nologin.c drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 sbin drwx------ 2 jail jail 4096 Jun 5 01:27 .ssh /home/jail/etc: total 24 drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rw-r--r-- 1 jail jail 55 Jun 5 00:53 passwd /home/jail/lib: total 140 drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rwxr-xr-x 1 jail jail 106397 Mar 8 2006 ld-2.3.4.so lrwxrwxrwx 1 jail jail 11 Jun 5 00:47 ld-linux.so.2 -> ld-2.3.4.so drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 tls /home/jail/lib/tls: total 1452 drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 . drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 .. -rwxr-xr-x 1 jail jail 1454546 Mar 8 2006 libc-2.3.4.so lrwxrwxrwx 1 jail jail 13 Jun 5 00:48 libc.so.6 -> libc-2.3.4.so /home/jail/sbin: total 28 drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rwxr-xr-x 1 jail jail 4957 Jul 4 23:55 nologin /home/jail/.ssh: total 24 drwx------ 2 jail jail 4096 Jun 5 01:27 . drwx------ 6 jail jail 4096 Jul 4 23:55 .. -rw-r--r-- 1 jail jail 2828 Jul 24 03:34 authorized_keys [root at gaia ~]# cat /home/jail/etc/passwd jail:x:1000:1000:Jail user:/home/jail/./:/sbin/nologin [root at gaia ~]# cat /home/jail/.ssh/authorized_keys command="/sbin/nologin",permitopen="x.x.x.x:22",no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBAPBOE...7HgvH7w== maze at athena [root at gaia ~]# cat /home/jail/nologin.c #include <stdio.h> #include <time.h> int main (void) { fprintf(stderr, "Infinite loop shell initialized...\r\n"); for (;;) { static struct timespec ts; ts.tv_sec = 86400; ts.tv_nsec = 0; nanosleep(&ts, &ts); }; return 0; }; What is perhaps not obvious is that the above allows the 'jail' user to login remotely with an ssh key getting a no-op infinite loop shell, which only permits port forwarding to the ssh port (which is not used) - but more importantly allows reverse port forwarding on any port. I use this to allow dynamic ip'ed clients (laptops and the like) to always be accessible (for maintenance) at a static port (ie like an ssh daemon on a different port) on my server. Use as you see fit... Maciej