Home Forums OS X Server and Client Discussion File Serving Secure File Sharing Tips

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • September 12, 2005 at 3:16 pm #363208
    mkalien
    Participant

    I’m looking for advice on providing file share access to OSXS 10.4.2. By secure I mean something that encrypts the password sent by the client and something that doesn’t let user’s have ssh access to the server (or locks down their abilities to go anywhere and run scripts).

    I tried using WebDAV via https but was having troubles getting it to work (on the user’s volume). I finally gave www more permissions and that seemed to work, but then I realized when you create files/directories through WebDAV the www user seems to own everything.

    Can you force FTP via SSL? or allow SSH but not let user’s out of their home directory and disallow executing scripts/files? Even so, they could still run all sorts of terminal commands that could tie up the processor and other resources.

    September 12, 2005 at 11:29 pm #363221
    mkalien
    Participant

    What about FTP using SSL (FTPS)? Does OS X Server support that? If it does, it seems like I could firewall the standard FTP port to force users into FTPS.

    September 15, 2005 at 6:48 pm #363265
    heavyboots
    Participant

    [QUOTE BY= mkalien] or allow SSH but not let user’s out of their home directory and disallow executing scripts/files? Even so, they could still run all sorts of terminal commands that could tie up the processor and other resources.[/QUOTE]

    Chroot ssh isn’t that hard to set up actually (however, I am still on 10.3.9 so I can’t say with certainty this will work on a Tiger box too). The weird thing I ran into was that something besides xinetd seems to need to restart for it to notice your new paths. Basically, I followed this tip over at MacOSXHints and got it set up. (Follow the instructions of the first guy and remember that if you want to restrict Users to just their their own folder, you’re going to need to put all the goodies they will need in each of their folders for chroot to work right. The example given in the hint just restricts them to the Users folder, meaning they can wander around in other user’s folders too.

    One more important tip: After each system update, be sure to verify that Apple didn’t overwrite your custom /usr/libexec/sshd-keygen-wrapper. Because if they did, everyone has top-level directory access to the box again!

    Argh, one more note: The winning property to edit the path in was NFSHomeDirectory. That’s where you want to add the /./ to the path to turn on chrooting.

    September 15, 2005 at 7:57 pm #363267
    mkalien
    Participant

    Someone also pointed me to rssh which is a restricted shell. It installed very easiliy (just make sure to specify the path to scp and sftp which I found in /usr/bin and edit the .conf file) and seems to work. It can restrict user’s to scp and/or sftp only. If they try to ssh into the box they get a message saying they are restricted to rssh and can’t do anything and then it logs them out. I like the idea, but perhaps combined with chroot I can restrict them to sftp and scp AND to only browse the Users directory.

    I haven’t made a final decision, but I’m liking rssh (with or without chroot) or using pureftpd over SSL.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.