Feature Request: Chroot Default Shell Escape

Jochen Bern Jochen.Bern at binect.de
Thu Jan 21 19:46:53 AEDT 2021

On 20.01.21 12:10, Konstantinos Pipinis wrote:
> The SSH daemon allows sftp connections (through internal-sftp) to a chroot
> directory for specific users or groups. This prevents them from having
> access with a regular ssh connection to their default terminal (as it
> should prevent).
> Yet, there are cases (as I had the need to implement) where a custom shell
> (eg: used for system configurations) is provided for some users while
> simultaneously the users had access only to their designated folder using
> the chroot-sftp functionality (in order to download or upload configuration
> files and logs).
> I would suggest the option for the default shell (as set in passwd) to
> escape chroot and execute as normal.

If you have a shell that you consider safe for those users to use (*not*
a trivial requirement!), make it their login shell and stop
ForceCommand'ing them into an SFTP server; both shell and SFTP will be
available from that point on.

ChrootDirectory should(*) work regardless of what kind of session ensues
(as long as your shell is *able* to run in the chroot, of course).

Other options that you may have specified in the ForceCommand should(*)
work the same in the Subsystem statement.

Having SFTP sessions chroot()ed but *not* the shell ... does sound like
one security setting likely defeating the other, to be honest ...

FWIW, if you still want to suggest a new feature *for the SFTP server*,
please specify which one you're using in your Subsystem config.

(*) Disclaimer: Per the manpages, never tried that myself.

Jochen Bern

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210121/5a2e2113/attachment.p7s>

More information about the openssh-unix-dev mailing list