Testing wanted: OpenSSH 4.8
Jan-Frode Myklebust
janfrode at tanso.net
Fri Mar 14 22:25:33 EST 2008
On 2008-03-13, Damien Miller <djm at mindrot.org> wrote:
>
> The highlights of this release are:
>
> * Added chroot(2) support for sshd(8), controlled by a new option
> "ChrootDirectory". Please refer to sshd_config(5) for details, and
> please use this feature carefully. (bz#177 bz#1352)
I miss some documentation on this feature...
It seems to require:
UsePrivilegeSeparation no
and maybe it's strongly adviceable to also use:
AllowTcpForwarding no
X11Forwarding no
PermitUserEnvironment no
# and more ?
Here's my current config. Any comments on other things that should be
set for a safe chrooted sftp-server ?
Protocol 2
PermitRootLogin no
StrictModes yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowTcpForwarding no
X11Forwarding no
PrintMotd yes
PrintLastLog yes
UsePrivilegeSeparation no
PermitUserEnvironment no
PidFile /var/run/sshd-external.pid
PermitTunnel no
Banner no
Subsystem sftp internal-sftp
ChrootDirectory /var/empty/sshd-external-chroot/
ForceCommand internal-sftp
AllowGroup chroot_users
Match group chroot_users
ChrootDirectory /var/ftp/%u
-jf
More information about the openssh-unix-dev
mailing list