It is completely unnecessary to give someone a shell on your server. A shell should only be given out to administrators of that server (and others that perform maintanance on it).

Therefore, in this guide, using OpenSSHd, I will show you what you need to add to your sshd_config file to make the magic happen.

First off, you need to understand that you can designate what kind of shell a user has by using the “usermod -s /bin/lolcakes user1? where the -s specifies the shell and user1 is the user.
This is not really necessary though. This is because we will be chroot’ing (restricting) the user to specifically one certain directory (we’ll use /raid) that won’t have the /bin/bash files anyway for the user to even initiate a shell.

Basically any version of OpenSSHd from 4.8 on has support for chroot’s and it’s quite easy to add them.  So here’s the situation…..

You have a user named “billy”. He wants access to your elite filez and you want to add him as a user to your box. But he is a linux guru and knows exactly what to look for to compromise a system.
So you decide to give him sftp access ONLY to your /raid directory where all your elite files are. You also don’t want him to do TCP forwarding or X forwarding.  Here we go…

First, you need to make his account. You will set his home directory to /raid and his shell to /bin/whatever just to be safe.

useradd -s /bin/failure -d /raid billy

Open up your sshd_config file (usually located in /etc/ssh/) and scroll all the way to the bottom.

You will see a part that starts with “Subsystem”. Change that line to read, “Subsystem sftp internal-sftp
then, add this to the end of the file:

Match User billy X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory %h

Finally, make sure the /raid directory is owned by root and the permissions allow billy to access it and you should be good to go.

You can also do this for entire groups by doing “Match Group kids”

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview