making openssh work with chroot()'ed accounts?
James Ralston
qralston+ml.openssh-unix-dev at andrew.cmu.edu
Tue Sep 18 08:35:25 EST 2001
On Mon, 17 Sep 2001 mouring at etoh.eviladmin.org wrote:
> 1. Assign the user's shell to the sftp server.
> 2. change /home/$USER ownership to root.
> 3. create a directory for /home/$USER/.ssh/ and lock it down to 000
> 4. make WWW (in my case) and chown it to $USER
Unfortunately, my users need interactive access as well as sftp
access, so this won't work for me.
> It resolves a lot of issues, but it is not the 'best' way to go.
> There are chroot() sftp-server patches floating around. But
> chroot() sshd is igoing to make a mess of things when doing scp or
> sftp.
I'm not sure what mess you're referring to.
If sshd always calls do_pam_session(), which will ensure that
pam_chroot will always run, then for scp/sftp to work properly, I'll
need to set up a complete directory structure (executables, shared
libraries, etc.) in my chroot'ed directory structure.
But I already have to do all of those things, anyway, so that the
user's shell, other programs, etc. will run in the chroot'ed
structure. Stuffing copies of sftp-server, scp, et. al. into the
chroot'ed structure is a minor thing, really.
Is this the mess you were referring to, or was it something else?
Do you know of any reason why making sshd always call do_pam_session()
wouldn't work? The pam_chroot module seems to do a good job, so it
would seem to me that *not* stuffing that functionality into sshd
would be the best course of action...
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
More information about the openssh-unix-dev
mailing list