chroot + ssh concerns

[Ben Lindstrom]

You may want to consder: http://www.pizzashack.org/rssh/

- Ben

On Tue, 30 Dec 2003, Lev Lvovsky wrote:

> Hello,
>
> I'm new to the list, but hopefully I've done enough digging around that
> I don't get yelled at too terribly ;)
>
> We're looking to implement a chrooted environment for allowing users to
> scp files from servers.  That's basically the only functionality that
> we need in this case.  We're looking to chroot the user and/or remove
> any chance that the account can login via ssh or local to the machine
> an run any commands.  Essentially the idea is to create a dump/pickup
> directory on the machines in question.
>
> In looking around, it seems that chroot has come up on this list
> several times, and has been discussed ad nauseum on usenet.  In looking
> at the archives, it seems that the patch for this has been removed from
> the contrib section of the ssh source.
>
> While patches for chrooted ssh exist (chrootssh comes to mind), I've
> also read the discussion here:
>
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2
>
> and am curious to get this groups take on possible solutions.
>
> 1.  does anyone have recommendations/warnings about applying the
> securessh patch?  The two main problems I see are code auditting
> (which, while I understand C, I don't know the ssh source well enough
> to understand the patch), as well as waiting on patches to newly
> announced vulnerabilities.
>
> 2.  the other options that we have for this are "restricted bash"
> (rbash), and the "scponly" shell - does anyone have any comments on
> either of those two as more (or less) recommended than the chrootssh
> patch?
>
> any other words of wisdom are very much appreciated!
>
> thanks,
> -lev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>