Chrooted sftp, did you getting it working?

James Dennis jdennis at law.harvard.edu
Fri Apr 12 23:32:44 EST 2002


Hello,
Chrooting sftp is not much more complicated than just chrooting ssh. It requires placing certain libraries (you can probably figure these out using truss or strace) in a location that appears the same as the regular file system while under the chroot. As far as I remember from doing this, the only thing sftp requires different from ssh is sftp-server which most likely lies in /usr/libexec or /usr/local/libexec. The best way to determine if chrooted ssh is working is to apply the patch (which I will include with this email), create a test username. Then login with the chrooted ssh daemon. It should run fine. Then change the users home directory to have a period in it (/home/./username) and then try logging in. If it fails the patch is working because you haven't built a chroot yet so after the chroot is applied to your user the users shell will not be found and the login fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable with truss or strace it becomes qu!
ite a bit easier. 
Because the whole process of building a chroot is beyond the scope of my reply in regard to the patch not working I leave any inquisitive minds to finding a good article on how to build chroot's to themselves (hint: a good article on chrooting ssh (not sftp) is on securityfocus.com).
Good luck to anyone. This patch does indeed work as we use it in production here at Harvard Law School.
-James

On Fri, 12 Apr 2002 08:04:03 +0200
jm.poure at freesurf.fr wrote:

> Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a écrit :
> > I was curious to know if you had any luck in getting openssh's sftp
> > server properly configured to allow chrooted sftp logins? I have had
> > no success and need something quickly.
> 
> Dear Mike,
> 
> Unfortunately, I did not succeed to have it work.
> 
> I got in contact with James Dennis <jdennis at law.harvard.edu>, who send me a 
> chroot patch. I applied the patch and did not succeed to log into a chrooted 
> account.
> 
> The patch is quite simple. I don't understand why it does not work. Any idea?
> 
> Best regards,
> Jean-Michel
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chroot.diff
Type: application/octet-stream
Size: 2561 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020412/6bfce47b/attachment.obj 


More information about the openssh-unix-dev mailing list