chroot + ssh concerns

Asif Iqbal iqbala at qwestip.net
Wed Dec 31 16:09:01 EST 2003


Lev Lvovsky wrote:
> Hello,
> 
> I'm new to the list, but hopefully I've done enough digging around that 
> I don't get yelled at too terribly ;)
> 
> We're looking to implement a chrooted environment for allowing users to 
> scp files from servers.  That's basically the only functionality that 
> we need in this case.  We're looking to chroot the user and/or remove 
> any chance that the account can login via ssh or local to the machine 
> an run any commands.  Essentially the idea is to create a dump/pickup 
> directory on the machines in question.
> 
> In looking around, it seems that chroot has come up on this list 
> several times, and has been discussed ad nauseum on usenet.  In looking 
> at the archives, it seems that the patch for this has been removed from 
> the contrib section of the ssh source.
> 
> While patches for chrooted ssh exist (chrootssh comes to mind), I've 
> also read the discussion here:
> 
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102163541912823&w=2
> 
> and am curious to get this groups take on possible solutions.
> 
> 1.  does anyone have recommendations/warnings about applying the 
> securessh patch?  The two main problems I see are code auditting 
> (which, while I understand C, I don't know the ssh source well enough 
> to understand the patch), as well as waiting on patches to newly 
> announced vulnerabilities.
> 
> 2.  the other options that we have for this are "restricted bash" 
> (rbash), and the "scponly" shell - does anyone have any comments on 
> either of those two as more (or less) recommended than the chrootssh 
> patch?
> 
> any other words of wisdom are very much appreciated!
> 
> thanks,
> -lev
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

Check this out

http://cr.yp.to/publicfile.html

Same guy who wrote qmail

-- 
Asif Iqbal
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x8B686E08
There's no place like 127.0.0.1




More information about the openssh-unix-dev mailing list