Help with Remote Login

[tedro]

Hi,

I don't run the server osx, but thought i should ask here, thank you

What do I need to do or change so that when a user is setup with Remote Access (via Sharing pane) it only allows them to see their own Home folder?
Currently, they go to /!!! yikes.
I want them to be able see ONLY their Home Dir.

Something I need to add to ssh config or something?

Help?

 

[Altemose]

@tedro You can configure share points in the "File Sharing" pane under System Preferences --> Sharing.

 

[tedro]

@tedro You can configure share points in the "File Sharing" pane under System Preferences --> Sharing.

thanks! can i get some more info on that, please?
all i see under Sharing is where i can "Allow Access For" > "Only These Users".
i don't see where i can assign the share point?

 

[Altemose]

thanks! can i get some more info on that, please?
all i see under Sharing is where i can "Allow Access For" > "Only These Users".
i don't see where i can assign the share point?

I am away from my Mac right now but you should see two white panes. On the left it will say "John Doe's Public Folder". Select it and hit the minus sign and add the folder you want by hitting the plus sign. Then you can set your permissions on the right pane by allowing all users or only some.

 

[tedro]

on os x client? i'm not on os x server, just a reminder.

 

[Altemose]

on os x client? i'm not on os x server, just a reminder.

Yes.

 

[tedro]

OK! yes yes yes.
check this, the source of my question:

i made a new user (non admin) for a friend to test something for me.
he logged in using ssh Remote Login and was dropped in at /.
are you saying (i know i should just try it) that had i also listed his home dir in that pane you refer to, ot wouod drop him in at his ~/ (only)?

 

[tedro]

also, i'm talking about ssh connections ...from outside?

i just tried it and the user is dropped into his ~/ but he can still back into /.

i did see when creating the user that i can choose standard or share only...let me try share only....

 

[tedro]

if you don't mind--THANK YOU--do you why the host machine sometimes changes its local address, e.g.:
10.0.1.7 and then it could be 10.0.1.8 ?

can i stop that?

brb

 

[tedro]

yes, it eeems that a Sharing Only user is not assignable and cannot ssh in.

so, from my reply above:
i create a standard user, ensble them under Remote Login;
in the Sharing sharepoint pane...add the new user's home dir.
when they login using ssh from outside, they first go to their home, but they can still back up into /.
what am i doing wrong?

 

[Altemose]

@tedro A client will change its IP unless you either set it up with a static IP configuration or use a DHCP reservation on the router. Do you want SMB or AFP for file sharing?

 

[tedro]

@tedro A client will change its IP unless you either set it up with a static IP configuration or use a DHCP reservation on the router. Do you want SMB or AFP for file sharing?

yes, AFP. that's more secure than SMB, right? anyway, no Windows clients.
so, i've been using AFP--i, my account, can ssh in fine, but, then, i'm not concerned about my access to /. i just want to stop others'!

p.s. hmmm...dhcp reservation.

 

[tedro]

THE FOLLOWING MESSAGE IS HEREBY DELETED

possibly off topic: i decuded to run Disk Util and do a perms repair.
one message i got is:
WARNING: SUID file "System/Library/Filesystems/AppleShare/afpLoad" has been modified and will not be repaired.
ok? off topic? no worries. i can use a Terminal, btw. just saying.

thanks so much

 

[Altemose]

yes, AFP. that's more secure than SMB, right? anyway, no Windows clients.
so, i've been using AFP--i, my account, can ssh in fine, but, then, i'm not concerned about my access to /. i just want to stop others'!

p.s. hmmm...dhcp reservation.

Opening any ports with direct access to your machine is insecure but unless you ran a VPN it is hard to get around.

 

[tedro]

Opening any ports with direct access to your machine is insecure but unless you ran a VPN it is hard to get around.

yes, i understand.

any hope for making it so a user ssh'ing in only sees his home folder?

thanks

 

[Altemose]

yes, i understand.

any hope for making it so a user ssh'ing in only sees his home folder?

thanks

A standard account will only access the folder you setup in System Preferences --> File Sharing. An administrator account will see the whole drive.

 

[tedro]

A standard account will only access the folder you setup in System Preferences --> File Sharing. An administrator account will see the whole drive.

so,
create standard user
turn on Remote Login for user
turn on File Sharing and in the Shared Folders pane click + and navigate to the user's home dir.

user connects over internet via ssh client, Cyberduck, etc.
user only has access to his home dir?

edit: i'm doing exactly that, but user can see everything. :-(

p.s. isn't the File Sharing prefpane only related to local network use, i mean, does also configure Remote Login?

 

[tedro]

Sharing > File Sharing is only for local network access.
and that *does* only take the user to his home, only.

as i've been saying: ssh (Remote Login) via internet--from outside the local network. the same standard user can see everything...which i don't want.

perhaps something in ssh config, or something, could be modified.

 

[Altemose]

@tedro If the user has an administrator account they will see everything. Only standard accounts are bound by your settings.

 

[tedro]

@tedro If the user has an administrator account they will see everything. Only standard accounts are bound by your settings.

for File Sharing yes, for Remote Access no, apparently, on 10.5.6 client.

i'll write back if i learn more. :-|

thanks for your time and efforts, very much.

 

[Altemose]

@tedro What type of account is remotely connecting to this Mac?

 

[tedro]

@tedro What type of account is remotely connecting to this Mac?

*Standard*. i am the only admin.
e.g.:
sftp://username@IP_address:22

check this:
http://apple.stackexchange.com/questions/41652/create-a-remote-only-user-in-os-x

seems one would need to create a jail by modifying ssh_config. as i suspected.

believe it or not i used to be a mac tech...i think i knew this! i'm just gettimg back into it lately.

i have old friend who runs an osx network whom i've mailed.

 

[Altemose]

Standard. i am the only admin.

Is there a reason why you don't just use the File Sharing panel then? If I understand correctly all you want to do is share the home folder of that one user.

 

[tedro]

Is there a reason why you don't just use the File Sharing panel then? If I understand correctly all you want to do is share the home folder of that one user.

i don't want to use it. i want the Remote user to ssh into it...and only it.
that article explains it. the guy posting is asking virtually the same thing i'm asking:
"I'd like to create a user on OS X that has remote ssh login privileges where they can access a certain folder /path/to/the/goods/ and add/modify/delete files manually or via rsync while the rest of the Mac is off limits (outside their home directory)."

apparently, you have to create a chroot jail in ssh_ config, for the user.

 

[Altemose]

@tedro Those steps are for OS X Server. To my knowledge the only option is to use the File Sharing pane which would work just fine.