chroot + ssh concerns

Lev Lvovsky lists1 at
Wed Dec 31 13:08:09 EST 2003


To be honest, I'm personally pushing for an unmodified-ssh way of doing 
things - it's the head of security here that would rather we patch ssh.

Can you be more specific as to why this is a better idea over patches?  
the "scponly" shell seems to satisfy our needs as well, but the issue 
of code auditing stands for both that, and rssh, so I need to come back 
with some good reasons.


On Dec 30, 2003, at 5:43 PM, Ben Lindstrom wrote:

> You may want to consder:
> - Ben
> On Tue, 30 Dec 2003, Lev Lvovsky wrote:
>> Hello,
>> I'm new to the list, but hopefully I've done enough digging around 
>> that
>> I don't get yelled at too terribly ;)
>> We're looking to implement a chrooted environment for allowing users 
>> to
>> scp files from servers.  That's basically the only functionality that
>> we need in this case.  We're looking to chroot the user and/or remove
>> any chance that the account can login via ssh or local to the machine
>> an run any commands.  Essentially the idea is to create a dump/pickup
>> directory on the machines in question.
>> In looking around, it seems that chroot has come up on this list
>> several times, and has been discussed ad nauseum on usenet.  In 
>> looking
>> at the archives, it seems that the patch for this has been removed 
>> from
>> the contrib section of the ssh source.
>> While patches for chrooted ssh exist (chrootssh comes to mind), I've
>> also read the discussion here:
>> and am curious to get this groups take on possible solutions.
>> 1.  does anyone have recommendations/warnings about applying the
>> securessh patch?  The two main problems I see are code auditting
>> (which, while I understand C, I don't know the ssh source well enough
>> to understand the patch), as well as waiting on patches to newly
>> announced vulnerabilities.
>> 2.  the other options that we have for this are "restricted bash"
>> (rbash), and the "scponly" shell - does anyone have any comments on
>> either of those two as more (or less) recommended than the chrootssh
>> patch?
>> any other words of wisdom are very much appreciated!
>> thanks,
>> -lev
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at

More information about the openssh-unix-dev mailing list