Want unusual config...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I want to configure sshd in a somewhat unusual way.  Reading the docs leaves
me a bit confused.  Hopefully somebody here can shed some light.  If so,
thanks in advance!

What I'd like is to have 2 or 3 users that are allowed to ssh into my server
with shell access.  I.e., they need to be able to log in just as if it were
a telnet session.  I've got this part working just fine.

In addition, I'd like *all* users (except root, of course) to be able to
SFTP in using sftp-server, and have their home directory appear to be the
root of their FTP account.

In other words, for most users I only want to allow SFTP connections, since
there is no reason for them to need shell access to the server.

The 2 problems I'm having are:

1) if I set AllowUsers to have the 2 or 3 special users, then I cannot use
SFTP from any other account.

2) when I SFTP in, it presents my home folder as /full-path-to-my-folder/
rather than /.

Hopefully I'm missing something simple.  Can anybody offer some advice?

Best Regards,
- Early Ehlinger

Re: Want unusual config...

Quoted text here. Click to load it

You may need a chroot cage. I've been urging the inclusion of such tools for
years in the OpenSSH and ssh.com implementations, but so far ssh.com used a
"chroot shell script" which is an amazingly bad idea, and the OpenSSH
authors have refused to include it as built-in code. It's at
http://sourceforge.net/projects/chrootssh /. It does require resetting the
user's home directory path to be "/home/username/./" to chroot to

There's "rssh" as well at http://sourceforge.net/projects/rssh /

But I'm actually going to try to urge you away from this approach. It's
fairly fraught with difficulties building and maintaining the cages, and if
you have an NIS or LDAP based network authentication system it can break
down trying to maintain normal access on some systems and chrooted access on

Instead, I urge you to look into "WebDAV" and HTTPS, with very good clients
built right into recent Windows releases and Java-based tools such as
"DAVexplorer" providing nice GUI tools for Linux. By using the built-in
chroot tools built into it, you can easily manage quite a secure little set
of upload/download directories, with very good resolution of the privileges
to access them, and use the HTTPS port which is more likely to be open for
off-site access than SSH.

Re: Want unusual config...

Thanks for the swift response.  I truly appreciate it.

Quoted text here. Click to load it

I'm afraid this won't work very well, since I would have to have a jail for
*every user*, which would be a bear to maintain.  What happens if I need to
change the jail for any reason, etc., etc.

And I can hardly wait for the deluge of questions like "Hey, what's this
/bin folder here for?"

Quoted text here. Click to load it

This looks rather promising.  I may need to hack on it a little bit to get
what I want, but it should be relatively straightforward :)  It seems that
the only thing it lacks is a pseudo-chroot like wu-ftpd provides, so that
everybody has their own virtual root.

I'm still trying to see how either of these approaches restricts only select
users to the sftp subsystem.  In other words, it seems to allow me to have
sftp-only access for everybody, but without the ability to allow SSH-shell
access to trusted users.

Quoted text here. Click to load it

This might be useable, but seems like quite a bit of overkill.  Also, I get
the impression that the clients are not quite as focused on simple batch
file transfers as they are for SFTP, which would be a serious downside for
my customers.

Best Regards,
- Early Ehlinger -

Re: Want unusual config...

Quoted text here. Click to load it

I don't understand what you're saying here. I find WebDAV superior to SFTP
for both batch and individual file transfers, due to its ubiquitous
availability and workable graphical clients for both Windows and Linux. Are
you saying they need a more scriptable set of file transfer tools, or what?

Site Timeline