making openssh work with chroot()'ed accounts?

James Ralston qralston+ml.openssh-unix-dev at andrew.cmu.edu
Tue Sep 18 07:40:33 EST 2001


On Mon, 17 Sep 2001, Peter W wrote:

> I'm not talking about chroot jails at all.  I'm talking about sftp
> making it easy to bypass all restrictions in ~/.ssh/authorized_keys*
> (gaining full access as the user despite explicit restrictions).
> That's why I changed the Subject line -- my beef has nothing to do
> with chroot().  You just happened on the same sftp problem that I
> did.  This is a *huge* security problem.

It's not really the same problem.

You want to keep restricted users (in the sense of what's listed in
~/.ssh/authorized_keys*) from accessing the sftp subsystem, because
(as you correctly surmised) allowing restricted users to access sftp
will permit them to bypass the restrictions, and is thus a huge
security hole.

I want to *permit* restricted users (in the sense of users who are in
a chroot() jail) to access sftp, but in order to do that, I need sftp
to obey the same restrictions (meaning, call chroot() before taking
any action that would allow the user to get to any files located
outside of the chroot'ed home).

This patch:

>    - markus at cvs.openbsd.org 2001/09/14
>      [session.c]
>      command=xxx overwrites subsystems, too

...should solve your problem.  But it won't solve mine.

On a related matter, I discovered that sshd would not honor the
~/.ssh/authorized_keys* files unless they (and the ~ and ~/.ssh
directories) were owned by the user in question.  I think that
restriction should be relaxed; IMHO, sshd should honor the
~/.ssh/authorized_keys* files if they (or the intervening directories)
are owned by the user in question or by root...

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA




More information about the openssh-unix-dev mailing list