# ssh access control and limits per user



## hanzer (Oct 5, 2016)

Is there a way to configure ssh such that a user is jailed to a certain subsection of the directory tree, has file-system limits (space quotas), and can not run any programs such that the only access to the system is sftp, scp, and rsync? This setup would only need to support a few users and needs to run on a low resource machine (single-core, 1GB RAM, 10.3-RELEASE-p7, i386). Before I start mucking about in sysjail and MAC docs, is this something ssh can do on its own? Or maybe a better question is, how much of this can ssh do on its own? Perhaps I can relax some of my requirements if a simple solution is available.

As always, any references, suggestions, experiences, explanations, insights, words of wisdom, war stories, etc. will be very appreciated!


----------



## Remington (Oct 5, 2016)

What you probably need is shells/rssh.

- or -

https://malacube.wordpress.com/tag/freebsd-sftp-setup/


----------



## hanzer (Oct 5, 2016)

Remington said:


> What you probably need is shells/rssh.



Wow, that seems to be exactly what I need!

`sudo pkg install rssh`
`sudo pw groupadd -n rsshuser`
`sudo chown root:rsshuser /usr/local/bin/rssh`
`sudo pw useradd -n banks -d /usr/local/chroot/banks -g rsshuser -s /usr/local/bin/rssh`
`sudo mkdir -p /usr/local/chroot/banks`
`sudo chown banks:rsshuser /usr/local/chroot/banks`
`sudo passwd banks`

`sudo vi /usr/local/etc/rssh.conf`

```
logfacility=LOG_USER
umask=022
chrootpath=/usr/local/chroot
user=banks:022:10011:/usr/local/chroot/banks
```
`sudo vi /etc/pf.conf`

```
pass in inet proto tcp to nfe0 port ssh
```
`sudo pfctl -f /etc/pf.conf`

But when I test it with:
`scp blah banks@minerva.bohemia.net:/`

```
Password for banks@minerva.bohemia.net:
rssh_chroot_helper: wordexp() bad syntax
lost connection
```
*rssh_chroot_helper* wasn't installed with *rssh*. hmm....

EDIT: Oops, found it and did this:

`sudo chown root:rsshuser /usr/local/libexec/rssh_chroot_helper`
`sudo chmod 4550 /usr/local/libexec/rssh_chroot_helper`

But the results are exactly the same. Any ideas?


----------



## hanzer (Oct 14, 2016)

rssh in a chroot jail is rather elaborate to set up and seems to have some basic problems. From the rssh mailing list:


> Also, I feel obligated to warn that rssh may be inherently insecure on
> FreeBSD given this statement in the wordexp(3) manual page:
> 
> Do not pass untrusted user data to wordexp(), regardless of whether
> ...


I went with the sftp approach.


----------

