chrooting/jailing transfer-only accounts

Ben Lindstrom mouring at etoh.eviladmin.org
Thu May 23 00:20:14 EST 2002


I'm sorry but I know I don't read binhex.

But assuming you did what has been discussed here before  which is wrote
some from of program that detects the -c argument passed to it and accept
or deny the commands.  This can work for sftp-server also.  Because we
do ${SHELL} -c sftp-server just like one would expect.

- Ben

On Tue, 21 May 2002, Sandor W. Sklar wrote:

> Folks,
>
> I've been tasked to find a solution that will create
> file-transfer-only accounts that are jailed or chrooted to a specific
> directory.  (Not an uncommon task, I think.)
>
> Using the OpenSSH server and the OpenSSH scp client program, I can
> achieve the goal of having a file transfer only account jailed to a
> specified directory, by using the "scpjail" script (attached) as a
> forced command.
>
> However, if the client is using the SSH.COM's scp2 client program,
> the above technique does not work, since the commercial version uses
> sftp as the underlying method.
>
> So, the only solution I can see is to use one of the several
> chrooting patches that are floating around to the OpenSSH source, and
> set the user's shell to sftp-server.  If I do this, I make it
> impossible to use the OpenSSH scp client ; all connections must be
> done using sftp clients.  I am also tied to selecting and using one
> of these patches, which I admit, I do not have the technical ability
> to judge on their merits and potential weaknesses.  I am phobic about
> using patches that are not part of the baseline code (especially for
> security-related software), as it creates one more thing to worry
> about.
>
> My question is, does anyone see a solution that I am missing here?
> Complaining to SSH.COM is not a solution, as it does not solve my
> problem.  It is not in my power to force the user community to use
> only the OpenSSH implementation.
>
> I've seen many mails on this list lately talking about the pros and
> cons of including chroot-ability; the people who seem to feel that it
> is unnecessary have said that it is easy enough to implement outside
> of OpenSSH.  I don't have the ability to do so; among the community
> of OpenSSH users, I doubt I'm alone in this.
>
> (As an aside, I'd appreciate it if people would look at the attached
> script, and let me know if they can see any obvious holes in it.
> I've tried unsuccessfully to break out if it is set up properly, but
> others may have more success.)
>
> Thanks, -S-
>
> --
>    Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
>    Non impediti ratione cogitationis.     http://whippet.stanford.edu/~ssklar/




More information about the openssh-unix-dev mailing list