Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: kristin.
kristin. Author
User level: Level 2
264 points

Restrict SSH access for a specific user to a specific directory, locally?

Hello.
I'm wondering if anyone knows how I would go about doing this — I need to give someone SSH access to a specific directory (and its sub-directories) on my Xserve, and they can only access this via the local LAN (ie. SSH is enabled from the WAN, but I don't want this person to be able to SSH in from the outside).
Is this possible?
Anyone know how I'd go about doing this?
This user is a member of the OD Master.
Thanks,
Kristin.

20" Intel iMac 2.16 Ghz, 12" PowerBook G4 1.33 Ghz, Power Mac G4 667 Mhz, Mac OS X (10.5.6), Xserves (Early 2009, Early 2008, G5), Mac Pro

Posted on Aug 26, 2009 7:39 AM

Reply
3 replies
User profile for user: Camelot
Camelot
User level: Level 9
54,339 points

Aug 28, 2009 8:17 AM in response to kristin.

...they can only access this via the local LAN


It's trivial to configure SSH to restrict user login to particular addresses using some combination of AllowUsers and DenyUsers.

From man sshd_config:

AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of
the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the
form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. The allow/deny directives are
processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.


The same applies to DenyUsers, except such users are denied access.

Which one you'd use depends on your network architecture and how restrictive you want to be. From your description it sounds like you could use something like:

DenyUsers username@ ,!192.168.1.


This will prevent the user username from logging on from any IP address except those in the 192.168.1.x subnet.

Add this line to /etc/sshd_config on the server and you're set.

As for:

...give someone SSH access to a specific directory (and its sub-directories) on my Xserve


You can achieve this via chroot, although it's a little more complex to setup.

Provided your server is running 10.5.4 or later (IIRC chroot support was only added then), you can add the following to /etc/sshd_config:

Match User username
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /var/sftp


Now when the user username logs on they will see /var/sftp as being the root drive of the system (so their home directory may now be /var/sftp/Users/username.
There are some specific permission requirements for chroot - for example, the /var/sftp directory needs to be root-owned, but it's not hard to find documentation on the requirements.

Note that the various *Forwarding options are disabled to prevent this user from opening ports on the server once they're logged in.
Reply

Restrict SSH access for a specific user to a specific directory, locally?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up