Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict ssh access

Status
Not open for further replies.
TSch

TSch

Technical User
Jul 12, 2001
557
DE
Hi folks,

is it possible to restrict ssh access to a certain directory only ?

Let's say user xyz is only allowed /u01/ including all subdirectories. He is not to be allowed access to all other directories like /etc/ , /usr/ , and so on ...

Is it possible ? If so how can it be done ?

Regards
Thomas
 
Sort by date Sort by votes
In order for user xyz to have no access at all to /etc or /usr, you'd have to tighten the permissions on those directories in a fashion that would lock the machine to pretty much anyone but root. That, or set up a chroot environment like ogniemi suggested.

Can you tell us what user xyz should be allowed to do? Do they need the command line, or could their needs be met with a script?

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web
 
Upvote 0 Downvote
Hi folks,

we need a certain user for an external companies remote support access.

We're running two separate applications on the system and the external company mentioned above shall only be allowed to move through their directory structure.

They have to be able to read, write, execute files under their directory structure and nowwhere else ...

Regards
Thomas
 
Upvote 0 Downvote
For the account to even function, there are files outside of their directory structure that they'll have to be able to read and/or execute.

You can try the chroot approach, but it can be tricky just getting a single daemon to run under chroot. An entire application is going to be a nightmare, if not impossible.

Other options are LPARs (which you'd probably already be using if you had the option) or purchasing a new machine to support their application.

Since you have a business relationship with them, the most practical solution is probably contractual, rather than technical.

After all, if you can't trust them to stick to a contract that forbids them from accessing anything other than their own directory, how can you trust their software?

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TSch
  • Locked
  • Question
Execute ssh command on VIO Server
Replies
1
Views
331
w5000
w5000
NoLogic001
  • Locked
  • Question
Ssh-keygen (Saving the key failed:)
Replies
3
Views
205
iggsterman
iggsterman
Guy987
  • Locked
  • Question
Smartcard authentication to SSH
Replies
0
Views
81
Guy987
Guy987
BJZeak
  • Locked
  • Question
File access permissions error
Replies
6
Views
492
BJZeak
BJZeak
Germo
  • Locked
  • Question
Quick SSh Question
Replies
3
Views
84
VineetSingla
VineetSingla

Part and Inventory Search

Sponsor

Back
Top