Feature request

Derek Simkowiak dereks at realloc.net
Wed May 28 15:46:33 EST 2008


/The sshd server has what I think is a serious flaw./

   Doug,
    OpenSSH server does not support chroot shell access.  It only 
supports a read-only chroot jail for SFTP (a brand-new feature which, I 
submit, is mostly useless).  So, whatever chroot problem you are having 
is not related to OpenSSH.  You're on the wrong list.

    Having said that, I am a user of the chroot patch for SSH available 
from http://chrootssh.sourceforge.net/ .  Earlier this week I proposed 
that this patch be included with OpenSSH as a compile-time option.  It's 
extremely useful (for many people, not just me) and it's been deployed 
out in the wild for a long time.  It uses the same /./ chroot convention 
used by wuftp and chrsh.

    If that is the patch you are using -- you never mentioned how you 
were doing chroot with SSH -- then know that I am NOT able to reproduce 
your problem.

    Here I log in as a chroot'd user (username: admin, using a 
password).  Note that the file /etc/passwd only has two lines, because 
it's the fake passwd file in the chroot jail:  

dereks at dell-laptop:~$ ssh admin at cst2 "cat /etc/passwd"
admin at cst2's password:
root:x:0:0:root:/root:/bin/bash
admin:x:10001:10001:Administrator:/var/www/web1/./:/bin/bash

    And here I log in as a non-chroot'd user (username: root, using an 
authorized key).  Note that the local /etc/passwd now has 42 lines, 
because it's the real passwd file at /etc/passwd:  
  
dereks at dell-laptop:~$ ssh root at cst2 "cat /etc/passwd | wc"
     42      61    2040
dereks at dell-laptop:~$

    Ergo, your problem is not with OpenSSH, and it's not even with the 
patch at http://chrootssh.sourceforge.net/.  You need to keep looking.  
(To the best of my knowledge, if you're not using that patch, you will 
never get chroot SSH access for your users.)

    As an aside, note that my box "cst2" is running ISPConfig, which 
conveniently supports the above chroot patch, and which automatically 
creates a chroot jail for all new users (and puts the /./ syntax into 
their home directory) using its web-based GUI.

    Please do not reply to the OpenSSH list, because (again) this is the 
wrong list for your question.  Feel free to reply to me privately if you 
need further assistance.

Thanks,
Derek

P.S.> Yes, root shell with an authorized key.  Please don't berate me 
about it.  It's a dev system and I need convenient root access, so sue me.

Doug Poulin wrote:
> The sshd server has what I think is a serious flaw.  There appears to be no way to turn off remote command execution.  (someone please correct me if I am wrong).
>
> We have a server which uses a chroot jail, and rbash to severely limit what users can do on our system.  The remote command bypasses all of that.
>
> ie.  ssh user at host cat /etc/passwd  will display the password file for the live system and not the chrooted jail.
>
> I've checked the man pages and so far I haven't seen anything that will allow me to override this functionality.  We may be able to use the public/private key with the command override feature, but I'd rather the problem was addressed properly.
>
> Comments?
> Doug
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>   



More information about the openssh-unix-dev mailing list