Knowledgebase

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Chrooted user just for mysql access over SSH


Chrooted user just for mysql access over SSH




Posted by ckissi, 09-29-2009, 01:32 PM
Hello, I have a user who will need access to our mysql. We thought to do that for him over SSH. So we'll create user on our CentOS and he will use SSH tunnel to access our mysql. But we need this user to have no access to filesystem and just have access to mysql. Is that possible ? How can we chroot this user in its home directory and prevent him to access nothing just mysql ? OS is CentOS 5 64bit. Thanx.
Posted by Axcelx, 09-29-2009, 02:08 PM
I personally would just setup phpmyadmin for him so he can access his own database via the web. Unless you want him to access via ssh there are some chmod's you can do to some directories to prohibit access. I always chmod about 60 directories on my server(s) since 100% of my clients have ssh access. (711) is a safe chmod.
Posted by ckissi, 09-29-2009, 02:17 PM
Thanx, unfortunately this SSH is required because user will access DB from desktop application. phpmyadmin isn't an option. I would prefer to lock user in its own home directory over chmod tens of directories cause it can make some troubles with access for other applications currently installed on the server.
Posted by oldunis, 09-29-2009, 02:23 PM
change his shell to /sbin/nologin He will be able to authenticate himself to the server, but won't be allowed to start a shell. I don't remember what to do next, but I know that there is an option in Putty/ssh to forward the port without creating the shell ... So he won't be able to have a shell, but he will be able to use the port forwarding to forward any ports... so use at your own risk.^ (EDIT) use the -N option when trying to connect Last edited by oldunis; 09-29-2009 at 02:27 PM.
Posted by ckissi, 09-29-2009, 02:34 PM
Thanx. I tried it and works. The login name and password will be compiled into exe file (encrypted) so he'll be unable to read them. Also we will use tcp wrappers (for ssh ip protection) to protect this login/password from other "potential" users


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Does Enom & Godaddy provid reseller hosting? (Views: 563)
Blocking and Sorting spam with MailScanner on Exim/cPanel (Views: 626)
Thousands of core.xxxx files fill the hard drive. (Views: 561)
Our maindomain or alternative domains, for customers? (Views: 544)
Anyone using xlhost now? (Views: 658)


Language:

Contact us

Copyright © 2018 DC International LLC. - All Rights Reserved.