disable port forwarding in OpenSSH

Jason Stone jason at shalott.net
Thu Sep 20 10:20:43 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > Many people have successfully used custom restricted shells that only
> > allow one or a small number of commands to be run upon login - you
> > shouldn't have a problem with that.
> 
> Can running sshd with chroot (to the directory which does not contain
> anything but mail folders and executables/libraries needed for sshd and
> mail programs) be considered more secure than running custom shell or not?
> I use FreeBSD.

chroot is almost certainly more secure.  Unless you're root, it's usually
not possible to get out of a chroot.  However, chroot is a lot harder to
manage, so sometimes admins try to do "clever" tricks which end up
subverting their security rather than enhancing it.  A restricted shell is
way easier to build and manage and is frequently secure enough for most
people.


> > In the case of pine, be sure to disable the ability to jump to a shell in
> > the fixed config file, usually /usr/local/etc/pine.conf.fixed.
> > (echo 'feature-list=no-enable-suspend' >> /usr/local/etc/pine.conf.fixed)
> 
> Thanks! But if no shell -- no ability, right?

I'm not sure I understand.  The user has to have some "shell" that can be
invoked as "<shell> -c pine" and do the right thing.  If you don't disable
suspend in the pine.conf.fixed, then pine will either fork a new instance
of <shell> (which is safe if <shell> is a restricted shell which just
exits when invoked without "-c pine") or else it will try to detach from
the restricted shell, which won't work right.

Also, the lack of a real shell won't prevent a sophisticated attacker from
still executing arbitrary code by exploiting a buffer overrun in pine, if
that's your question.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE7qTZfswXMWWtptckRAuYPAKCz1GAzNmeGvoYeO5/uCdS41MUe3wCfQqHH
nixy1IypD0aFhnt7l67vf5Q=
=w4ce
-----END PGP SIGNATURE-----




More information about the openssh-unix-dev mailing list