Testing wanted: OpenSSH 4.8

Jan-Frode Myklebust janfrode at tanso.net
Fri Mar 14 22:25:33 EST 2008


On 2008-03-13, Damien Miller <djm at mindrot.org> wrote:
>
> The highlights of this release are:
>
>   * Added chroot(2) support for sshd(8), controlled by a new option
>     "ChrootDirectory". Please refer to sshd_config(5) for details, and
>     please use this feature carefully. (bz#177 bz#1352)

I miss some documentation on this feature...

It seems to require:

	UsePrivilegeSeparation no

and maybe it's strongly adviceable to also use:

	AllowTcpForwarding no
	X11Forwarding no
	PermitUserEnvironment no
	# and more ?

Here's my current config. Any comments on other things that should be
set for a safe chrooted sftp-server ?

	Protocol 2
	PermitRootLogin no
	StrictModes yes
	IgnoreRhosts yes
	PasswordAuthentication no
	PermitEmptyPasswords no
	ChallengeResponseAuthentication no
	AllowTcpForwarding no
	X11Forwarding no
	PrintMotd yes
	PrintLastLog yes
	UsePrivilegeSeparation no
	PermitUserEnvironment no
	PidFile /var/run/sshd-external.pid
	PermitTunnel no
	Banner no
	Subsystem       sftp    internal-sftp
	ChrootDirectory /var/empty/sshd-external-chroot/
	ForceCommand internal-sftp
	AllowGroup chroot_users
	Match group chroot_users
		ChrootDirectory /var/ftp/%u



  -jf



More information about the openssh-unix-dev mailing list