SSH Restrict User Access

Issues related to configuring your network
Post Reply
jmacdougca
Posts: 76
Joined: 2017/12/09 00:49:14
Location: Port Coquitlam, BC
Contact:

SSH Restrict User Access

Post by jmacdougca » 2021/01/11 22:13:50

I am trying to restrict access for webmaster user to /var/www/domainname. Currently when webmaster ssh 'es into the main server as webmaster logs into the correct chroot directory var/www/domainname/public_html but can still access the entire filesystem.

I followed this article https://www.tecmint.com/restrict-ssh-us ... oted-jail/. I have completed steps 1-4.

When I cat /var/log/secure | egrep webmaster I see successful connections to the server however nothing in relation to the chroot directory. sshd[22528]: Accepted password for webmaster from ip port # ssh2

I added the following lines in /etc/ssh/sshd_config

Code: Select all

#define username to apply chroot jail to
Match User webmaster
#specify chroot jail
ChrootDirectory /var/www/domainname/

Code: Select all

getent passwd | egrep webmaster = webmaster:x:8094:8094::/var/www/domainname/:/bin/bash

Code: Select all

ls -ld /var/www/domainname = drwxr-xr-x. 10 root root 250 Jan 11 11:58 /var/www/domainname

Code: Select all

getenforce = Permissive

Code: Select all

[quote]drwxr-xr-x. 30 root root 4096 Dec 2 13:46 /home/www/

Code: Select all

 drwxr-xr-x. 17 root root 4096 Jan 10 21:17 /home
Since `/var/www` is actually `/home/www`, I tried changing the ssh chroot and passwd home directory for `webmaster` to `/home/www/domainname`. I restarted httpd with failed result.

Here are the file permissions in the directory I want webmaster restricted to.

Code: Select all

[quote]drwxr-xr-x.   8 root root   4096 Dec 17 19:37 archive
-rwxr-xr-x.   1 root root 964536 Jan 11 11:00 bash
-rwxr-xr-x.   1 root root 964536 Jan 11 11:01 bin
drwxr-xr-x.   2 root root     33 Jan 11 11:04 etc
drwxr-xr-x.   2 root root      6 Jan 11 11:03 lib64
drwxr-xr-x. 237 root root  12288 Dec 22 15:40 node_modules
crw-rw-rw-.   1 root root   1, 3 Jan 11 10:58 null
-rw-r--r--.   1 root root    545 Dec 22 15:56 package.json
-rw-r--r--.   1 root root 111876 Dec 22 15:40 package-lock.json
drwxr-xr-x.  10 root root   4096 Jan  3 15:18 public_html
crw-rw-rw-.   1 root root   1, 8 Jan 11 10:58 random
drwxr-xr-x.   4 root root     27 Dec 30 12:02 src
crw-rw-rw-.   1 root root   5, 0 Jan 11 10:58 tty
crw-rw-rw-.   1 root root   1, 5 Jan 11 10:58 zero[/quote]
That's all the information I have at this point. Thanks for the replies.
Start less finish more

Post Reply

Return to “CentOS 7 - Networking Support”