making openssh work with chroot()'ed accounts?

James Ralston qralston+ml.openssh-unix-dev at andrew.cmu.edu
Mon Sep 17 11:38:30 EST 2001


I've been trying to get openssh to play nicely with chroot()'ed
accounts (on Red Hat Linux 7.1), but so far, I haven't had much
success.

I can stick this line in /etc/pam.d/sshd:

    session required /lib/security/pam_chroot.so debug onerr=fail

For slogin, this works great.  But scp and sftp don't apply the
chroot, because they don't invoke do_pam_session().

Even worse, I can't disable sftp access for chroot()'ed accounts
without disabling it for everyone.  (Using the "command" option in the
authorized_keys2 file will break scp, but sftp will still work.)

I looked at Ricardo Cerqueira's contrib/chroot.diff patch.  However,
it only seems to apply to pam sessions.  Even if that weren't the
case, the "/./" hack won't permit me to locate the user's ~/.ssh
directory (the one that matters; not the one the user sees after the
chroot() call has taken place) in a place where they don't have access
to it.

Is there some easy way to get openssh to work with chroot()'ed
accounts?  Something I've missed, perhaps?

Assuming I haven't overlooked something, I was considering adding a
"ChrootConfig" option to the sshd_config file.  E.g.:

    ChrootConfig /etc/security/chroot.conf

This would function in the same way as pam_chroot (each line in the
file is of the form "username directory", where "username" is a
regular expression, and "directory" is the directory to which to
chroot() if the regular expression matches.  The chroot() call would
occur just before the setuid/setgid calls.

Thoughts?

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA




More information about the openssh-unix-dev mailing list