OpenSSH 3.2.2 released : chroot

Ben Lindstrom mouring at
Tue May 21 03:40:01 EST 2002

On 20 May 2002, Florin Andrei wrote:

> On Fri, 2002-05-17 at 09:05, Ben Lindstrom wrote:
> >
> > Out of interest why do you feel it's required to do chroot() at the
> > OpenSSH level?  Why don't you invest time into a shell that does the
> > chroot() for you?  That would work for telnet, ssh, etc. No need to
> > clutter up OpenSSH with options that can easily be implemented at a higher
> > level.
> Perhaps because an OpenSSH-level chroot will also work for
> sftp-restricted accounts.
> Remember, if you want to restrict an account to sftp-only, you have to
> declare the sftp-server as a shell. Which is kinda annoying, but it's
> ok. Now, if you chroot at the shell level, it suddenly becomes more
> complicated for sftp-only accounts.

chroot in sshd.c does not improve sftp-only chroot support.  If you think
that then you are mistaken.  You still need to put a bunch of crap in the
user's directory.  Only way around it is suiding sftp-server and embeding
the chroot there.

In general a suid chroot wrapper or chroot in sshd.c results in the same
crap.  <shrug>

Besides, you have to take your pick.  chroot at the sshd.c level or at the
sftp-server.c level.  You really can't have both.

- Ben

More information about the openssh-unix-dev mailing list