<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>Running 'ssh' and 'scp' from a chroot jail (sandbox)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>I have a need to have users SSH into a server where they are limited to a chroot jail (sandbox). Once they are there, they need to be able to execute 'ssh' and 'scp' to other systems.</FONT></P>
<P><FONT SIZE=2>I've no problem setting up the basic chroot jail and providing basic functionality (ls, cat, less, etc). The part that is stopping me is setting it up so that that user can then 'ssh' and 'scp' out.</FONT></P>
<P><FONT SIZE=2>Actually I've got (nearly) working based on ldd and strace testing, but it seems somewhat kludgy:</FONT>
<BR><FONT SIZE=2>- Requires links from the chroot jail /etc to non-chroot'd /etc/tty and /etc/urandom (bad idea for a chroot jail?)</FONT>
<BR><FONT SIZE=2>- 'ssh' from the chroot jailed user sees the user's home directory as the full non-chroot'd path</FONT>
<BR><FONT SIZE=2>- 'scp' into the chroot jailed user home directory fails with 'Permission denied.', despite the home directory being 777, the correct password being used, and 'ssh' into the chroot jailed user working fine</FONT></P>
<P><FONT SIZE=2>What are the bare bones requirements for enabling these binaries within the chroot jail? Any assistance on what I am missing here would be appreciated.</FONT></P>
<P><FONT SIZE=2>Greg S.</FONT>
</P>
<BR>
<P><FONT SIZE=2>PS - Apologies if this is not the proper list for a question of this nature; it seemed the most appropriate. If it isn't, please just let me know.</FONT></P>
</BODY>
</HTML>