making openssh work with chroot()'ed accounts?
James Ralston
qralston+ml.openssh-unix-dev at andrew.cmu.edu
Wed Sep 19 16:06:52 EST 2001
On Tue, 18 Sep 2001, Damien Miller wrote:
> On Mon, 17 Sep 2001, James Ralston wrote:
>
> > If sshd always calls do_pam_session(), which will ensure that
> > pam_chroot will always run
>
> Have you checked CVS head?
I hadn't, but I see now that this change was already made. I built
from the latest snapshot, and indeed, no matter how I connect
(ssh/scp/sftp), sshd opens a PAM session (which causes pam_chroot.so
to load), which is exactly what I wanted. Yay!
> Not everyone uses PAM.
True, but that doesn't mean that PAM isn't the most appropriate place
to implement chroot() restrictions et. al. on systems that have PAM.
BTW, since I was building on Redhat, I examined the patches that they
apply while build openssh. The comment on this one was "remove a
redundant call to pam_limits":
--- contrib/redhat/sshd.pam-7.x.redhat Sun Feb 11 17:34:17 2001
+++ contrib/redhat/sshd.pam-7.x Tue Sep 18 14:29:45 2001
@@ -4,5 +4,4 @@
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
-session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
They also patched ssh-add so that when given no keyfiles, it attempts
to load every keyfile it can find. If you want that one, let me know.
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
More information about the openssh-unix-dev
mailing list