chroot + ssh concerns

Ben Lindstrom mouring at
Wed Dec 31 12:43:50 EST 2003

You may want to consder:

- Ben

On Tue, 30 Dec 2003, Lev Lvovsky wrote:

> Hello,
> I'm new to the list, but hopefully I've done enough digging around that
> I don't get yelled at too terribly ;)
> We're looking to implement a chrooted environment for allowing users to
> scp files from servers.  That's basically the only functionality that
> we need in this case.  We're looking to chroot the user and/or remove
> any chance that the account can login via ssh or local to the machine
> an run any commands.  Essentially the idea is to create a dump/pickup
> directory on the machines in question.
> In looking around, it seems that chroot has come up on this list
> several times, and has been discussed ad nauseum on usenet.  In looking
> at the archives, it seems that the patch for this has been removed from
> the contrib section of the ssh source.
> While patches for chrooted ssh exist (chrootssh comes to mind), I've
> also read the discussion here:
> and am curious to get this groups take on possible solutions.
> 1.  does anyone have recommendations/warnings about applying the
> securessh patch?  The two main problems I see are code auditting
> (which, while I understand C, I don't know the ssh source well enough
> to understand the patch), as well as waiting on patches to newly
> announced vulnerabilities.
> 2.  the other options that we have for this are "restricted bash"
> (rbash), and the "scponly" shell - does anyone have any comments on
> either of those two as more (or less) recommended than the chrootssh
> patch?
> any other words of wisdom are very much appreciated!
> thanks,
> -lev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list