making openssh work with chroot()'ed accounts?

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Tue Sep 18 07:36:17 EST 2001 

The way I setup sftp for web is odd but works on most if not all accounts
(except I don't do chroot).

1. Assign the user's shell to the sftp server.
2. change /home/$USER ownership to root.
3. create a directory for /home/$USER/.ssh/  and lock it down to 000
4. make WWW (in my case) and chown it to $USER

It resolves a lot of issues, but it is not the 'best' way to go.  There
are chroot() sftp-server patches floating around.  But chroot() sshd is
going to make a mess of things when doing scp or sftp.

- Ben

On Mon, 17 Sep 2001, James Ralston wrote:

> On Mon, 17 Sep 2001, Peter W wrote:
>
> > I'm not talking about chroot jails at all.  I'm talking about sftp
> > making it easy to bypass all restrictions in ~/.ssh/authorized_keys*
> > (gaining full access as the user despite explicit restrictions).
> > That's why I changed the Subject line -- my beef has nothing to do
> > with chroot().  You just happened on the same sftp problem that I
> > did.  This is a *huge* security problem.
>
> It's not really the same problem.
>
> You want to keep restricted users (in the sense of what's listed in
> ~/.ssh/authorized_keys*) from accessing the sftp subsystem, because
> (as you correctly surmised) allowing restricted users to access sftp
> will permit them to bypass the restrictions, and is thus a huge
> security hole.
>
> I want to *permit* restricted users (in the sense of users who are in
> a chroot() jail) to access sftp, but in order to do that, I need sftp
> to obey the same restrictions (meaning, call chroot() before taking
> any action that would allow the user to get to any files located
> outside of the chroot'ed home).
>
> This patch:
>
> >    - markus at cvs.openbsd.org 2001/09/14
> >      [session.c]
> >      command=xxx overwrites subsystems, too
>
> ...should solve your problem.  But it won't solve mine.
>
> On a related matter, I discovered that sshd would not honor the
> ~/.ssh/authorized_keys* files unless they (and the ~ and ~/.ssh
> directories) were owned by the user in question.  I think that
> restriction should be relaxed; IMHO, sshd should honor the
> ~/.ssh/authorized_keys* files if they (or the intervening directories)
> are owned by the user in question or by root...
>
> --
> James Ralston, Information Technology
> Software Engineering Institute
> Carnegie Mellon University, Pittsburgh, PA, USA
>
>

More information about the openssh-unix-dev mailing list