ssh access control and limits per user

Is there a way to configure ssh such that a user is jailed to a certain subsection of the directory tree, has file-system limits (space quotas), and can not run any programs such that the only access to the system is sftp, scp, and rsync? This setup would only need to support a few users and needs to run on a low resource machine (single-core, 1GB RAM, 10.3-RELEASE-p7, i386). Before I start mucking about in sysjail and MAC docs, is this something ssh can do on its own? Or maybe a better question is, how much of this can ssh do on its own? Perhaps I can relax some of my requirements if a simple solution is available.

As always, any references, suggestions, experiences, explanations, insights, words of wisdom, war stories, etc. will be very appreciated!
 
What you probably need is shells/rssh.

Wow, that seems to be exactly what I need!

sudo pkg install rssh
sudo pw groupadd -n rsshuser
sudo chown root:rsshuser /usr/local/bin/rssh
sudo pw useradd -n banks -d /usr/local/chroot/banks -g rsshuser -s /usr/local/bin/rssh
sudo mkdir -p /usr/local/chroot/banks
sudo chown banks:rsshuser /usr/local/chroot/banks
sudo passwd banks

sudo vi /usr/local/etc/rssh.conf
Code:
logfacility=LOG_USER
umask=022
chrootpath=/usr/local/chroot
user=banks:022:10011:/usr/local/chroot/banks
sudo vi /etc/pf.conf
Code:
pass in inet proto tcp to nfe0 port ssh
sudo pfctl -f /etc/pf.conf

But when I test it with:
scp blah banks@minerva.bohemia.net:/
Code:
Password for banks@minerva.bohemia.net:
rssh_chroot_helper: wordexp() bad syntax
lost connection
rssh_chroot_helper wasn't installed with rssh. hmm....

EDIT: Oops, found it and did this:

sudo chown root:rsshuser /usr/local/libexec/rssh_chroot_helper
sudo chmod 4550 /usr/local/libexec/rssh_chroot_helper

But the results are exactly the same. Any ideas?
 
rssh in a chroot jail is rather elaborate to set up and seems to have some basic problems. From the rssh mailing list:
Also, I feel obligated to warn that rssh may be inherently insecure on
FreeBSD given this statement in the wordexp(3) manual page:

Do not pass untrusted user data to wordexp(), regardless of whether
the WRDE_NOCMD flag is set. The wordexp() function attempts to
detect input that would cause commands to be executed before passing
it to the shell but it does not use the same parser so it may be
fooled.

This is exactly what rssh does and has to do, so if there are indeed such
flaws, they would allow an authenticated attacker to bypass all of the
command restrictions (although, at least in theory, not the chroot).
I went with the sftp approach.
 
Back
Top