Feature request
Derek Simkowiak
dereks at realloc.net
Wed May 28 15:46:33 EST 2008
/The sshd server has what I think is a serious flaw./
Doug,
OpenSSH server does not support chroot shell access. It only
supports a read-only chroot jail for SFTP (a brand-new feature which, I
submit, is mostly useless). So, whatever chroot problem you are having
is not related to OpenSSH. You're on the wrong list.
Having said that, I am a user of the chroot patch for SSH available
from http://chrootssh.sourceforge.net/ . Earlier this week I proposed
that this patch be included with OpenSSH as a compile-time option. It's
extremely useful (for many people, not just me) and it's been deployed
out in the wild for a long time. It uses the same /./ chroot convention
used by wuftp and chrsh.
If that is the patch you are using -- you never mentioned how you
were doing chroot with SSH -- then know that I am NOT able to reproduce
your problem.
Here I log in as a chroot'd user (username: admin, using a
password). Note that the file /etc/passwd only has two lines, because
it's the fake passwd file in the chroot jail:
dereks at dell-laptop:~$ ssh admin at cst2 "cat /etc/passwd"
admin at cst2's password:
root:x:0:0:root:/root:/bin/bash
admin:x:10001:10001:Administrator:/var/www/web1/./:/bin/bash
And here I log in as a non-chroot'd user (username: root, using an
authorized key). Note that the local /etc/passwd now has 42 lines,
because it's the real passwd file at /etc/passwd:
dereks at dell-laptop:~$ ssh root at cst2 "cat /etc/passwd | wc"
42 61 2040
dereks at dell-laptop:~$
Ergo, your problem is not with OpenSSH, and it's not even with the
patch at http://chrootssh.sourceforge.net/. You need to keep looking.
(To the best of my knowledge, if you're not using that patch, you will
never get chroot SSH access for your users.)
As an aside, note that my box "cst2" is running ISPConfig, which
conveniently supports the above chroot patch, and which automatically
creates a chroot jail for all new users (and puts the /./ syntax into
their home directory) using its web-based GUI.
Please do not reply to the OpenSSH list, because (again) this is the
wrong list for your question. Feel free to reply to me privately if you
need further assistance.
Thanks,
Derek
P.S.> Yes, root shell with an authorized key. Please don't berate me
about it. It's a dev system and I need convenient root access, so sue me.
Doug Poulin wrote:
> The sshd server has what I think is a serious flaw. There appears to be no way to turn off remote command execution. (someone please correct me if I am wrong).
>
> We have a server which uses a chroot jail, and rbash to severely limit what users can do on our system. The remote command bypasses all of that.
>
> ie. ssh user at host cat /etc/passwd will display the password file for the live system and not the chrooted jail.
>
> I've checked the man pages and so far I haven't seen anything that will allow me to override this functionality. We may be able to use the public/private key with the command override feature, but I'd rather the problem was addressed properly.
>
> Comments?
> Doug
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list