SSH2 functions a little differently from SSH and ProFTPD, but has a few advantages under some circumstances.
SSH2 can jail users in some groups to their home directory when using the internal sftp-server function, which takes over entirely for the FTP server. This also provides "sftp" protocol (another TLS/FTP scheme), the protocol of preference for mac/fetch users.
However, this is a little problem when using the "Server Owner Limits" panel of virtualmin.
Using the “DeniedSSH” group as a way to deny people SSH but allow FTP does not work for this setup. If you deny SSH you’ve also denied FTP.
For now what I do is alter the SSH2 config to make the "DeniedSSH" group the jailed group.
This causes a problem during updates, but is easy to fix in the SSH/SSH2 module at time of reconfiguration or update.
Is there a way to make this easier for us SSH2 users?
To deny a shell, I use a ‘nologin’ shell… FTP only users are in “DeniedSSH” for now, but I would like to use that for what it’s supposed to do, too.<br><br>Post edited by: JeremyHorland, at: 2008/03/04 08:08
If that’s all you need to do (give FTP users nologin as their shell) I believe you can just switch the “Shell for FTP users” to nologin, instead of false…perhaps I’m missing something more you need for this to work?
Its that automatic configuration of "DeniedSSH" group users, which re-configures SSH2 every time I upgrade or re-configure webmin. I like the feature, and change it to be the jailed group, but I was wondering if there were a way to have it not configure SSH2 for this.
Now you’re confusing me.
I’m reading you saying, “I want Virtualmin to configure DeniedSSH, but I don’t want it to configure DeniedSSH.” Clearly there is something about your question that I fail to understand.
I like that it makes a DeniedSSH group, but I use it to chroot, while Virtualmin resets it to "denygroups"
Is there any way to stop virtualmin from configuring the SSH module, or to set it to use "chrootgroups" instead of "denygroups"
Ah. Why didn’t you say so?
That is, unfortunately, hardcoded in the virtual-server-lib.pl
It’d be trivial to change it, though…but you’ll need to update it every time you upgrade Virtualmin. So, I’d probably recommend filing a ticket with a description of how this option can be used, and see if Jamie will make it a configurable option. Sounds pretty useful, actually, if I now actually understand what’s happening. But be sure to include the specifics about group names and such in the ticket and what you’re trying to accomplish–Jamie is probably no better at reading your mind than I am. (Actually, I think the problem was that you assumed I know far more about ssh than I actually do. Jamie might know enough to grok your meaning much more quickly.)
Anyway, the line you’d change would be this one in virtual-server-lib.pl:
$denied_ssh_group = "deniedssh";
Obviously, you’d just change it to the group you’d like to use here.
That (much as usual) rocks.
I’ve been chewing Jamie’s brain today already, I’ll post it tomoro.
I was just curious if you ever got this working, I was wanting to do the same thing.
I’m pretty sure the option went into 3.54, but maybe I’m misremembering.