OpenSSH 3.2.2 released : chroot

Pekka Savola pekkas at
Sat May 18 23:54:22 EST 2002

On Sat, 18 May 2002, Dan Astoorian wrote:
> On Sat, 18 May 2002 06:10:31 EDT, Pekka Savola writes:
> > On Fri, 17 May 2002, Ben Lindstrom wrote:
> > > Out of interest why do you feel it's required to do chroot() at the
> > > OpenSSH level?  Why don't you invest time into a shell that does the
> > > chroot() for you?  That would work for telnet, ssh, etc. No need to
> > > clutter up OpenSSH with options that can easily be implemented at a higher
> > > level.
> > 
> > One word: sftp.
> How is sftp different from any other application or subsystem?

Sftp is moderately self-sufficient.

Trying to invent a "magic bullet" for e.g. chrooting shell is rather 
difficult and not really usable for most people (because of the troubles 
with populating chroot directories; with sftp there is no such need).

So, really.. the only difference is pragmatic: sftp should be relatively
easy to chroot in practise -- in contrast to e.g. shell, and very usable 
for most people ("ftp + chroot to homedirs replacement").
> If the user's login shell is a wrapper which calls chroot() and then
> runs a real shell, then sftp-server will be wrapped along with anything
> else the user could run via ssh.

A wrapper would be fine by me.

Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

More information about the openssh-unix-dev mailing list