OpenSSH 3.2.2 released : chroot
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue May 21 03:40:01 EST 2002
On 20 May 2002, Florin Andrei wrote:
> On Fri, 2002-05-17 at 09:05, Ben Lindstrom wrote:
> >
> > Out of interest why do you feel it's required to do chroot() at the
> > OpenSSH level? Why don't you invest time into a shell that does the
> > chroot() for you? That would work for telnet, ssh, etc. No need to
> > clutter up OpenSSH with options that can easily be implemented at a higher
> > level.
>
> Perhaps because an OpenSSH-level chroot will also work for
> sftp-restricted accounts.
> Remember, if you want to restrict an account to sftp-only, you have to
> declare the sftp-server as a shell. Which is kinda annoying, but it's
> ok. Now, if you chroot at the shell level, it suddenly becomes more
> complicated for sftp-only accounts.
>
chroot in sshd.c does not improve sftp-only chroot support. If you think
that then you are mistaken. You still need to put a bunch of crap in the
user's directory. Only way around it is suiding sftp-server and embeding
the chroot there.
In general a suid chroot wrapper or chroot in sshd.c results in the same
crap. <shrug>
Besides, you have to take your pick. chroot at the sshd.c level or at the
sftp-server.c level. You really can't have both.
- Ben
More information about the openssh-unix-dev
mailing list