Fedora Servers :: Restricting SSH User To Their Home Directory
Dec 15, 2010
I'm trying to restrict a particular ssh user to his home directory, I'm just giving him access so that he can ssh to another server that is only accessible from the former but restrict his movement so that he can't poke around the former.I already made some changes to sshd_config file and added the following line at the end:
Did some test, user joe can ssh to the server but unable to do anything aside from logging in, even a simple ls command will immediately close the putty session. I know I'm still missing something but don't really know what it is.I also tried this how to that uses rssh --> http://www.adamhawkins.net/2009/05/r...ured/#more-431 however when I login the session immediately closes.
View 5 Replies
ADVERTISEMENT
Mar 14, 2010
I've setup Kerberos and OpenLDAP servers (9.10) similar to the official documentation (and other sites that fill in the "gaps"). However, when you start to get in to some of the details, there seem to be many options - and I guess I'm looking for what could be the defacto standard. I'd like to allow Ubuntu clients to have a sso capability, with the ability for local caching of passwords if not connected to the network (such as a laptop user away from the office, prior to a VPN). I'd like to automount a secure NFS share somewhere in the /home directory. If the user logs in to a computer they've not logged in to before (if they're authorized), it would be nice if a skeleton /home directory could be setup there automatically I'm guessing that it is not desirable to use a shared /home NFS - as if you're off the network this would be problematic - as well as multiple computers sharing the same /home. There are some benefits to a shared /home (SSH certs, etc.), so maybe there is a hybrid approach out there.
I've read that it's not necessarily good practice to have OpenLDAP to do the authentication (leave this to Kerberos), but it's fine for authorization (such as ACLs for logins to certain computers). It's also good practice to use TLS with OpenLDAP (which requires public certs on all the clients) and to not allow anonymous read to the directory. I would guess that a computer host keytab could be refreshed to bind to the OpenLDAP server via GSSAPI / SASL to allow a non-anonymous read, and then determine if, say, the user was a member of a group allowed to log in. Kerberos would then pick up and authenticate the user and then proceed to the login. Off the network here, I'm not sure. I found this document, but it's self declared missing items: [URL]
I'll stop the rambling, but I cannot be the only one who would like to setup a relatively standard and secure server based network authentication and authorization back-end. Is there any _complete_ documentation on the best practices and how to implement?
View 4 Replies
View Related
Jul 16, 2009
I hope I am in the right forum. I have a question about restricting users from being able to change their own passwords in Fedora 10. In Fedora 6, I was able to do this by using passwd with -n and -x flags. If I would set the -n value greater than the -x value, then the user would not be able to change his/her own password. If I do this in Fedora 10, this no longer works
View 4 Replies
View Related
May 12, 2011
I have added a new user by following command :
root# useradd -u 100 -g 120 -d /product -s /bin/bash sandesh
I am not able to access it in /export/home directory..?
View 1 Replies
View Related
Feb 15, 2010
I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories. I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount. When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:
restorecon -R -v /home2/UserAccount
to set the context on the new home directory. I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn Distro: Fedora 12 (kernel: 2.6.31.5-127.fc12.i686) System: Dual Intel Xeon @ 3.2 GHz, 1 GB RAM
View 4 Replies
View Related
Jan 6, 2010
I have a secondary disk which holds a /home directory structure from a previous install of Linux. I installed a new version on a new primary drive and mounted this secondary drive as the new /home. Problem is, even though the users are the same names and I can access the home directories for the users, I cannot login directly to their home directories, as I get the following error: -
Code:
login as: [me]
[me]@[machine]'s password:
Last login: Wed Jan 6 18:34:33 2010 from [machine]
Could not chdir to home directory /home/[me]: Permission denied
[[me]@[machine] /]$
Now, since the usernames are correct and the users are in the passwd file with the correct home directory paths, could it be user ID's that are different or something else? It's not as though I cannot access the home directories for the users, simply that I cannot log directly into them from a login prompt.
View 14 Replies
View Related
Jun 16, 2011
Do you think there is a way of accessing different user data from another account which I have set up.
Ie. user 1 = account has messed up
user 2 = account works fine
access user account 1 home directory from user 2 work space?
View 9 Replies
View Related
Feb 1, 2009
I just installed FC10 and then used yumex to install the vsftpd FTP daemon package. I'm using the vsftpd.conf file that came with the distribution, and its almost identical to one I copied from my FC2 machine's working set-up. When I try to FTP in as a known system user I'm presented with my home directory /home/myusername/. The directory appears empty to the FTP program, but isn't in reality. I can't upload a file to the empty home directory. I can move up the directory hierarchy to /home/, but again that appears as an empty directory.
I don't think it's a vsftpd.conf file issue. I've tried everything I can there. Could it have something to do with permissions? I fiddled with those, but couldn't make an FTP directory listing work.
[code]....
View 5 Replies
View Related
May 6, 2009
I am looking into encrypting some data on a Fedora samba server. I'm not entirely sure the best way to do this. The server is currently running Fedora 5 but it can be updated if necessary.
I would prefer if the server could be booted up and that no interaction at the server itself have to be done so that users can access their shares.
Is there a way for the data to be encrypted on the server but when the user access the share over samba that it can be accessed?
The research i have done so far seems to point towards methods more intended for a desktop setup. Such as entering passwords at bootup or when opening folders.
View 1 Replies
View Related
May 21, 2010
I have an SFTP server using OpenSSH on a server running Fedora 12. I want to chroot my sftponly users into their home directory but I want to let them have write access to their upload/ folder. Right now users can log in and view & download items, but for some reason I can't get write access to work. Here's some info:
username: testuser
group: sftponly
from /etc/passwd:
testuser:x:501:501::/home/testuser/:/bin/false
[code]...
View 1 Replies
View Related
Feb 2, 2011
created a user but i forgot to change the home directory permission.so after user created when i go to the user and group mangement i cant see that permission filed related to the home permission directory.my purpose is to stop accessing other user to my home directory,how it can be possible??
View 4 Replies
View Related
Mar 8, 2010
I'm developing an application in which one user must run java software that I'm compiling as another user. I wanted to give user A permission to see the bin direcory of my workspace, which is in the home directory of user B. I was wondering how can this be done? I gave the bin direcotry full read/execute premissions, but since it's in my home directory user A can't navigate to it.
I know there are a few ways I could get around the problem but they arn't very elegant. I was wondering if there is a simple method for giving a user access to a specific directory without giving access to all the parent directories. I tried symbolic link but user A still can't access it, and a hard link to a directory isn't allowed in Linux. I don't feel like making a hard link to every single file in the bin directory, and I'm not sure that would work anyways, since every recompile overwrites them.
View 7 Replies
View Related
May 12, 2011
i have rhel 5.2 and i want to create user using useradd command without creating user home directory and not throwing any warning/error about not creating any home directory.i have tried useradd -u "$NEW_UID" -g <gid> -d "/home/$1" -M "$1"where $1 is user name and $NEW_UID is i am calculating.it throws error as useradd: cannot create directory /home/$1which i dont want to come , how to prevent this?
View 1 Replies
View Related
Jul 28, 2011
i'm new to linux and just installed Ubuntu and decided to play around with it. i just executed
Code: useradd test which supposedly creates a folder in the home directory '/home/test' but when i look in there i can't see it i also did a
Code: grep test /etc/passwd which returns: 'test:x:1001:1001::/home/test:/bin/sh' which i believe means it is meant to exist.
Addendum: I have also now noticed that when i log in and log back in i have the option to login as 'test' but it prompts me for a password which i did not set :s
View 5 Replies
View Related
May 24, 2011
I need to specify a different path to home directories on a particular server than what LDAP contains for the users, besides using a symlink. E.g. "/Users/jdoe" vs "/home/jdoe" I don't want to change the actual LDAP attributes, just want a particular server to point them in the right direction (Ubuntu 10.04).
I'm assuming it's something I could probably set in pam configurations?
View 1 Replies
View Related
Feb 2, 2009
I have FC10 newly installed, and Apache is serving content from /var/www/ okay.
I'm trying to get Apache to serve web content from user's home directories. This is what I've tried with no success:
Uncommented 'UserDir public_htm' in /etc/httpd/conf/httpd.conf and commented out 'UserDir disabled'.
And...
Uncommented user directory section in /etc/httpd/conf/httpd.conf. It now reads as follows:
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
[Code].....
I also tried setenforce 0 to temporarily disable SELinux until the next reboot. No luck. It doesn't appear to be an SELinux issue.
That's as far as the information available will take me. I still get URL 'Not Found' when I try to access http://192.168.0.2/~myusername/
setting up user home directory web access?
View 1 Replies
View Related
Nov 28, 2009
I can not use nfs from F10 client to F12 server. nfs mount on F10 to F12 times out anf nfs4 mount gives "mount.nfs4: mounting localhost:/home failed, reason given by server: No such file or directory" I have tried to close firewall and set selinux to permissive mode on both client and server with same result. Samba works fine. On server [root@flokipal ~]# mount -t nfs4 localhost:/home /media/tonlist mount.nfs4: mounting localhost:/home failed, reason given by server: No such file or directory
but
[root@flokipal ~]# mount -t nfs localhost:/home /media/tonlist
[root@flokipal ~]#
works
View 3 Replies
View Related
Mar 14, 2009
I want to enable User Directories in Apache. So in httpd.conf I set:
Code:
<IfModule mod_userdir.c>
#UserDir enabled // commented out
UserDir public_html
</IfModule>
Directory /home/kees is listed has the following file permissions: drwx--x--x 32 kees kees
Directory /home/kees/public_html has the following file permissions: drwxr-xr-x 2 root root
Directory public_html has two files: index.html and index.php, both with file permissions: -rwxr-xr-x 1 root root If I now try to open http://myhost/~kees/index.html (or index.php) in my browser I get a 403 Forbidden error. If I look in my error log I see the following messages if I first try to open the index.html and then the index.php file:
[Code]...
View 4 Replies
View Related
Mar 8, 2010
I'm sorry if this has been posted already but I REALLY did look and couldn't find the same issue(s) addressed anywhere. Similar, but not similar enough, in my opinion, to barge in and switch the subject.
Ok, I have Apache httpd set up so I can use a public_html folder inside of my /home/username directory. Now, I'm about to take a web dev course that teaches JSP/Servlets for building web applications and I'd like to set my environment up so that I can execute .jsps from my web root (/home/username/public_html) just like I would a CGI or PHP script. I have a web host that will give me JSP support for a few extra bucks a month, but I'd rather do it locally... and free.
I have Tomcat installed and running wonderfully. The test page and all the examples work fine and execute immediately. But when I try to execute a .jsp file inside of my web root (/home/username/public_html) I just get the raw Java tags and plain-old HTML rendered in my browser. I pretty much knew that wouldn't work; that'd be way too easy. I just wanted to see what would happen.
I looked through all the tomcat ".conf" files I could find to see if it was similar to setting up httpd inside of my home directory, but I didn't have any luck. It's not a file permissions problem... I've been messing with web "scripts" long enough to check that the files are executable. All of the files needed (borrowed from the examples that come with Tomcat) were in their correct paths inside of my web root, as well. Added :8080 to the end of localhost (like you do to see the Tomcat test page(s) instead of the httpd test page) but that didn't help.
I scoured the web for directions but could only find one solution that was Ubuntu-specific (just install tomcat6-user-something-or-another.deb, which doesn't exist in the Fedora repos), then I looked around here, trying every search term that seemed reasonable to me, and I can't find anything.
I realize I can just write the code and put it in a directory that does allow these things to be executed (var/lib/tomcat6/blah-blah-blah/going-by-memory) and run them from there, but I'd like to be able to just keep all of my web files in the same place; a place where I have full permission to do whatever I want... my home directory public_html.
Is this possible (has to be, right?)? Is this a dumb idea to begin with (I'm prone)? What is the best way to develop JSP/Servlets without having to deal with permissions every time I want to put a new script in a directory outside of my home directory that's already set up to allow the execution of said script?
View 3 Replies
View Related
Aug 31, 2011
Xguest uses namespace.d/xguest.conf.
[code]...
root user won't be able to read the "active" xguest home directory (ll /home/xguest will only show an almost empty folder with content from /etc/skel). How can a root user list the folder of an the xguest home directory (while xguest is logged in)?
View 9 Replies
View Related
Jan 16, 2011
iam learning to setup a NFS server with fedora14. I have gone through couple of materials for this topic. I have a doubt. Say if i have user1 till user5 on my NFS server with their home directory under the /home and the /home directory is shared. If user1 logs into a client machine then will he be able to see home folders for the other users or just his own home folder. Because in the /etc/exports file there was an option saying "subtree" and according to my understanding this means that the subdirectories under /home will also be shared. Does that mean all the users should be able to see all other users home directory and its contents but not read/write?? Correct me if iam wrong.
View 1 Replies
View Related
Feb 28, 2011
I was just exploring if i could create a normal user without a home directory. So i edited the file /etc/defaults/useradd and it now shows
[code]...
Why is this so? why isnt the change in useradd reflected here?
View 1 Replies
View Related
Sep 14, 2010
I've a user account in a remote machine. but it doesn't have a home directory in that machine.Is it possible to create a home directory without having root account details. If yes, how it can be done.
View 1 Replies
View Related
Sep 29, 2010
Ubuntu 10.04 64 bit
I ran following command to change username;
# usermod -c "Real name" -l new_username old_username
but forgot adding -m option to move the contents of the old home directory to the new home directory.
Therefore;
# ls /home
old_user_directory
how to fix it. /home is on partition /dev/sda3 NOT on root directory
View 7 Replies
View Related
Sep 29, 2010
Ubuntu 10.04 64 bit I ran following command to change username; # usermod -c "Real name" -l new_username old_username but forgot adding -m option to move the contents of the old home directory to the new home directory. Therefore; # ls /home old_user_directory
View 4 Replies
View Related
Jun 21, 2011
I must to give ssh connection to own customer. So I want to lock ssh user on own home directory. It is not necessery to reach other folders. I know that ftp user can lock on own folder but I don't know how to lock ssh user.
View 1 Replies
View Related
Mar 10, 2011
I am having problems setting up SFTP on a Red Hat server to clamp users down to their home directory. I have created the user, removed /bin/bash login shell and replaced with the below in the passwd file. The user can login by sftp but can browse around the server and download any files apart from other users file. Have also assigned the user over to the sftp user group.
Code:
SFTPUser:x:515:515::/home/SFTPUser:/usr/libexec/openssh/sftp-server
Added following section to file - /etc/ssh/sshd_config
Code:
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
View 7 Replies
View Related
Oct 22, 2010
Is there a way where i can chroot their user home directory, lets say the user login on linux box /home/user, what i wanted to do is to chroot /home/user where user won't be able to browse the filesystem which is /. Tnx
View 1 Replies
View Related
May 9, 2010
How do I change user's home directory, because right now everything saves into File System and it's almost full(I got windows and Ubuntu installed in the same partition), while the other 120Gb filesystem is unused..
View 9 Replies
View Related
Feb 21, 2011
I would like to ask how to addftp user in vsftpd with directory otherhan /home/ for example /var/www ?
View 1 Replies
View Related
