- FTP usually sucks. Unless sent over SSL, all information is sent cleartext.
- SSH usually rules. SSH sends all data over an encrypted channel -- the main drawback is: you can often browse around the system, and if permissions aren't set right, read things you shouldn't be able to.
- Chroot'd SSH rocks. The solution to both the above problems
So, let me tell a quick story.
When I started uni in 2001 I was a nerd. Still a nerd, I guess. I was cramped in my apartment on campus with like 5 boxes, most of them crappy p100s running Linux or OpenBSD. Life was good.
I started a CS degree (shifted into Business with a focus on IT), and we were told to use the school's main servers to compile our programs. The other interesting thing is that all user accounts were visible when logged in via ssh -- but hey, that is just the nature of Linux. I knew this, but asked the head I.T. person "why don't you jail the connections?" He responded quickly telling me to go away.
Well, shortly after making the comment (although solutions existed at the time being), pam-chroot was released. This is right about the time students figured they could spam everybody in the school, some 25,000 emails, quickly and easily -- 'cause all the accounts were displayed. Sweet -- now we can chroot individual ssh connections.
This quick demo will be on Debian, we'll create a pretend user named "karl." (I'll assume you've already added the user before beginning these steps). Also, the jails will be in /var/chroot/{username}
First: Install libpam-chroot and makejail
session required pam_chroot.sokelvin@server ~$ sudo apt-get install libpam-chroot makejail
Second: makejail config file
Put the following in /etc/makejail/create-user.py:
#Clean the jail cleanJailFirst=1 preserve=["/html", "/home"] chroot="/var/chroot/karl" users=["root","karl"] groups=["root","karl"] packages=["coreutils"]
Edit: If you need to use SFTP also, try this config:
cleanJailFirst=1 preserve=["/html", "/home"] chroot="/home/vhosts/karl" forceCopy=["/usr/bin/scp", "/usr/lib/sftp-server", / "/usr/bin/find", "/dev/null", "/dev/zero"] users=["root","karl"] groups=["root","karl"] packages=["coreutils"]
As you'll see, there is a "preserve" directive. This is so that when you "clean" the jail (if you need to refresh the files, for instance), you won't wipe out anything important. I created an /html so that the user can upload their web docs to that file.
Third: configure libpam_chroot
Add the following to /etc/pam.d/ssh:
# Set up chrootd ssh session required pam_chroot.so
Forth: allow the actual user to be chrootd
Edit /etc/security/chroot.conf and add the following:
karl /var/chroot/karl
Fifth: create/chown the chroot'd dir
kelvin@server ~$ sudo mkdir -p /var/chroot/karl/home kelvin@server ~$ sudo chown /var/chroot/karl/home
Now you should be able to log in, via the new username karl.