chroot + ssh concerns
Asif Iqbal
iqbala at qwestip.net
Wed Dec 31 16:09:01 EST 2003
Lev Lvovsky wrote:
> Hello,
>
> I'm new to the list, but hopefully I've done enough digging around that
> I don't get yelled at too terribly ;)
>
> We're looking to implement a chrooted environment for allowing users to
> scp files from servers. That's basically the only functionality that
> we need in this case. We're looking to chroot the user and/or remove
> any chance that the account can login via ssh or local to the machine
> an run any commands. Essentially the idea is to create a dump/pickup
> directory on the machines in question.
>
> In looking around, it seems that chroot has come up on this list
> several times, and has been discussed ad nauseum on usenet. In looking
> at the archives, it seems that the patch for this has been removed from
> the contrib section of the ssh source.
>
> While patches for chrooted ssh exist (chrootssh comes to mind), I've
> also read the discussion here:
>
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2
>
> and am curious to get this groups take on possible solutions.
>
> 1. does anyone have recommendations/warnings about applying the
> securessh patch? The two main problems I see are code auditting
> (which, while I understand C, I don't know the ssh source well enough
> to understand the patch), as well as waiting on patches to newly
> announced vulnerabilities.
>
> 2. the other options that we have for this are "restricted bash"
> (rbash), and the "scponly" shell - does anyone have any comments on
> either of those two as more (or less) recommended than the chrootssh
> patch?
>
> any other words of wisdom are very much appreciated!
>
> thanks,
> -lev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
Check this out
http://cr.yp.to/publicfile.html
Same guy who wrote qmail
--
Asif Iqbal
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
There's no place like 127.0.0.1
More information about the openssh-unix-dev
mailing list