# Is this secure enough for sharing SSH/SFTP access?



## olav (Aug 22, 2010)

A friend of my needs access to some files. He is a good friend, but he is often infected with viruses and like to mess with things he is not supposed to.

I also do not want him to read other parts of my system.

Since my friend is not connected to my LAN and I have only one public ip address I decided to create something with a combination of rssh and chroot. 

I created a new user "roy", added him to the group olavsFriends, set rssh as login shell and set his home folder to /home/chroot/roy. Finally I added this to the bottom of the /etc/ssh/sshd_config file

```
Match Group olavsFriends
    ChrootDirectory /home/chroot/
    AllowTcpForwarding no
    ForceCommand internal-sftp
    X11Forwarding no
```

I found out that I missed some files that were required by rssh and copied them into the /home/chroot folder

Then it worked, when he log in the "root" is now /home/chroot

Is this safe enough?
Is it possible to chroot his home folder /home/chroot/roy and keep the rssh files in /home/chroot?


----------



## shitson (Aug 22, 2010)

If i was going to share a file or some files with a friend i could not verify the integrity of i would use FTP/SFTP, give the user (your mate) only Read Access to the directory and ensure that his root is his home directory (if your using something like VSFTPd you can use the option {chroot_local_user=YES} in the vsftpd.conf. 

I assume that because he is infected with viruses that he is on some type of Windows Box and may not really understand how to access files via the command line. 

Just another perspective.


----------



## olav (Aug 22, 2010)

Read access only is of course very important. He use Winscp which works fine with rssh.


----------



## gilinko (Aug 22, 2010)

Or create a simple jail, that will be totally cut of from your base system and all other things you might have running there.


----------



## olav (Aug 22, 2010)

But a jail requires an additional ip adress, or and ssh service running on another port. I really don't want that.


----------



## gilinko (Aug 22, 2010)

olav said:
			
		

> But a jail requires an additional ip adress, or and ssh service running on another port. I really don't want that.



If it's just for quickly sharing files. Use a +1024 port, like ssh 10022, on your base OS and have it forward it to port 22 on your jail.


----------



## anomie (Aug 23, 2010)

olav said:
			
		

> I found out that I missed some files that were required by rssh and copied them into the /home/chroot folder



The ssh daemon is already forcing them into internal-sftp, so rssh is totally unnecessary here. 

What OpenSSH version, BTW?


----------



## olav (Aug 24, 2010)

I guess some of my configuration is wrong, but I wanted to use rssh because of rsync. I guess I need to copy over a lot more files to get rsync to work?


```
OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8n 24 Mar 2010
```


----------



## anomie (Aug 24, 2010)

If rsync is a requirement, then make life easy and put it in a FreeBSD jail, as suggested earlier. Making the jail's ssh daemon listen on a non-standard port sucks, but if the alternative is trying to build your own (less secure) chrooted shell + rsync environment I'd definitely go for the former.


----------

