Chrooted sftp, did you getting it working?

m.ibarra at cdcixis-na.com m.ibarra at cdcixis-na.com
Sat Apr 13 05:04:48 EST 2002


Oh, it works, just not properly :-)

If I sftp in using this patch, it shows all files as owned
by UID instead of username. I am however able to now log in.

My original problem was using ftp put, that failed due to the
fact that I was originally following the chroot+sftp-server.patch,
doc which stated that I must chmod the chrooted homedir to 555
and make it owned by root. I've since then properly rechmodded
and all seems well, again aside from the UID bug noted above.

Thanks again,

-mike

-----Original Message-----
From: James Dennis [mailto:jdennis at law.harvard.edu]
Sent: Friday, April 12, 2002 9:33 AM
To: jm.poure at freesurf.fr; dci at webquill.com
Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org;
secureshell at securityfocus.com
Subject: Re: Chrooted sftp, did you getting it working?


Hello,
Chrooting sftp is not much more complicated than just chrooting ssh. It
requires placing certain libraries (you can probably figure these out using
truss or strace) in a location that appears the same as the regular file
system while under the chroot. As far as I remember from doing this, the
only thing sftp requires different from ssh is sftp-server which most likely
lies in /usr/libexec or /usr/local/libexec. The best way to determine if
chrooted ssh is working is to apply the patch (which I will include with
this email), create a test username. Then login with the chrooted ssh
daemon. It should run fine. Then change the users home directory to have a
period in it (/home/./username) and then try logging in. If it fails the
patch is working because you haven't built a chroot yet so after the chroot
is applied to your user the users shell will not be found and the login
fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable
with truss or strace it becomes quite a bit easier. 
Because the whole process of building a chroot is beyond the scope of my
reply in regard to the patch not working I leave any inquisitive minds to
finding a good article on how to build chroot's to themselves (hint: a good
article on chrooting ssh (not sftp) is on securityfocus.com).
Good luck to anyone. This patch does indeed work as we use it in production
here at Harvard Law School.
-James

On Fri, 12 Apr 2002 08:04:03 +0200
jm.poure at freesurf.fr wrote:

> Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a écrit :
> > I was curious to know if you had any luck in getting openssh's sftp
> > server properly configured to allow chrooted sftp logins? I have had
> > no success and need something quickly.
> 
> Dear Mike,
> 
> Unfortunately, I did not succeed to have it work.
> 
> I got in contact with James Dennis <jdennis at law.harvard.edu>, who send me
a 
> chroot patch. I applied the patch and did not succeed to log into a
chrooted 
> account.
> 
> The patch is quite simple. I don't understand why it does not work. Any
idea?
> 
> Best regards,
> Jean-Michel
> 



More information about the openssh-unix-dev mailing list