Stop user leaving home directory when logging via SSH?

[Keir Frampton]

Hi

I have a very simple question that I can't work out via the GUI. I want to create a user and set their home directory, after that I just want them to be able to login in via SSH and stop them leaving there home directory.

I have tried to follow this guide but can't seem to figure it out.

Everything I try allows me to "cd" and browser my entire datastore and all my sub datastores..

https://forums.freenas.org/index.ph...lder-private-user-folder-common-folder.11557/

I am running version 9.2.1.6 x64..

If you need my hardware spec let me know and I will post.

I am sure this has been asked 100 times before so if anyone knows of a post that you can point me at that would be great.

I am also sure that more questions from people will follow.

 

[anodos]

Are you trying to create an SFTP chroot or do the users need an actual shell?

 

[Keir Frampton]

Hi

Thanks for taking the time to reply. The purpose is to setup a user so that I can use Rsync to another server. However the problem is that I have to do this over a WAN without a VPN. I am going to create a public and private key to the other server but I am worried that if someone external were to break into the account for what ever reason I don't want them being able to navigate outside of the home directory onto my other datastores. I have tried various user and group permission, plus playing with the permission of the datastore that I have created for the users home directory but whenever I log in using putty with that account I can CD to other datastores....

This has got me thinking in general about how to isolate shares etc.. to individual user accounts... I will also keep looking through the forum threads to see what other people have said.

 

[anodos]

Hi

Thanks for taking the time to reply. The purpose is to setup a user so that I can use Rsync to another server. However the problem is that I have to do this over a WAN without a VPN. I am going to create a public and private key to the other server but I am worried that if someone external were to break into the account for what ever reason I don't want them being able to navigate outside of the home directory onto my other datastores. I have tried various user and group permission, plus playing with the permission of the datastore that I have created for the users home directory but whenever I log in using putty with that account I can CD to other datastores....

This has got me thinking in general about how to isolate shares etc.. to individual user accounts... I will also keep looking through the forum threads to see what other people have said.

Use FreeBSD jails on the other server.

 

[Keir Frampton]

Thanks...

can you elaborate what you mean? From what I have read a Jail is like a VM that can be installed under it's own IP inside the server? Not sure how this would stop a user leaving their home directory?

No doubt this is a stupid question so apologies in advance..

 

[RobertT]

I think what the suggestion is would be to do something like this..
On the server that is going to be externally exposed create a jail..
Add storage to the jail for the datastore you want the data written to..
expose to the internet the IP of the jail (not the main freenas)..
configure sshd to run on the jail..

 

[Keir Frampton]

Hi RobT

That's great.. Thanks for the clarification. I'll give that a go and reply back to the thread if I get that working..