# How to create SSH users on OSX Lion ?



## macspyre (Nov 14, 2011)

Hi,

I am trying to setup a web server for my company on Mac OSX Lion.

I would like to create SSH users for which their root directory would be Apache htdocs, so they wont be able to access files system outside their personal home dir.

I currently created standard users by using System Preferences > Users, and then the Directory Utility.
I modified the NFS Home Directory parameters in order to assign to each of them /opt/local/www/ *(Im using the Apache Distribution on macPort).
I then enabled SSH service in system preferences (remote session) for all users (I cant manage how to specify a connection for specific users only).

Remote Connection is working fine, and home dir is /opt/local/www/
However, these users can browse the system root (/) but do not have the write permissions.

My main problem is than my server is not secured at the moment.
1. Any user can login using SSH
2. Users I created can access the whole disk
3. I could not find how to assign identification for public key
4. These users can login on the server at boot
5. Optionally, would you think OSXServer 10.7 integrated tools would be any help to me to manage users?

Thanks for your answers.
Regards


----------



## BjarneDM (Nov 21, 2011)

This is one of the differences between ftp and ssh : the ability to limit access to certain parts of the file system. This is very hard if not almost entirely impossible to do for ssh !

The problem is every ssh-user can simply do 'cd /' and be at the file system root. From there it's a question of file permission as to where they have access. There's no way you can configure your way out of this problem.

You'll have to mess around with the traditional unix file permissions and acl lists in order to restrict your ssh-users.


----------



## BjarneDM (Nov 24, 2011)

I found a solution to your problem, but it's way too complex to give the complete solution here.

In short the solution is to use the Mac OS X sandboxing fatures. I found these described in some detail in this book : http://www.apress.com/9781430227304 - the book actually has a complete example on how to restrict ssh and sftp to the users home directory etc


----------

