keypair auth and limiting access to sftp [no relation to chroot()]
Peter W
peterw at usa.net
Tue Sep 18 07:17:11 EST 2001
On Mon, Sep 17, 2001 at 05:06:42PM -0400, James Ralston wrote:
> On Sun, 16 Sep 2001 mouring at etoh.eviladmin.org wrote:
>
> > Peter, you may want to check the current snapshot. On 9/14 I
> > included a patch from the OpenBSD tree on subsystem and key pairs.
> >
> > [..]
> > - markus at cvs.openbsd.org 2001/09/14
> > [session.c]
> > command=xxx overwrites subsystems, too
> > [..]
> >
> > Hope this helps what you are doing.
>
> Making sftp inaccessable to chroot'ed accounts is certainly one way to
> prevent chroot'ed accounts from using sftp to break out of their
> chroot jails, yes.
I'm not talking about chroot jails at all. I'm talking about sftp making it
easy to bypass all restrictions in ~/.ssh/authorized_keys* (gaining full
access as the user despite explicit restrictions). That's why I changed the
Subject line -- my beef has nothing to do with chroot(). You just happened
on the same sftp problem that I did. This is a *huge* security problem.
-Peter
More information about the openssh-unix-dev
mailing list