Openssh5 Chrootdirectory ?!

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I from paris !
I've intalled the new openssh 5.0 !  ... i just discovered chroot , i
read many howtos on how chroot works. There are many howtos about how
to input a new shell whitin a chrooted envirnonnement .. but none with
the new openssh !
i'would like to now if someone could help me implemanting bash within
this jail !
i've already manage to use sftp, and my user is well chrooted in his
homedirectory !

well ... if anyone can show me the way ... (:


Re: Openssh5 Chrootdirectory ?! wrote:
Quoted text here. Click to load it

Welcome to the land of philosophy and unsupported features. There have been a
number of patches to OpenSSH published to support this, but the maintainers
have *NEVER* accepted them into the main codeline. It's not trivial to set up:
you need to add the patches, which typically involving setting a user's home
directory to use a '/./' to designate where the root of the chroot cage goes,
and and install a small environment there, capable of actually running SSH
binaries. It's not supported in OpenSSH, previous discussions have shown that
it never *will* be supported unless there's a big change in the set of
maintainers or their coding practices, and

This is precisely why I tell people who need a secure file-transfer repository
to simply use WebDAV over HTTPS. If you really need chroot for OpenSSH, there
are a number of guidelines on how to set it up. The set at seems quite legible.

Re: Openssh5 Chrootdirectory ?!

Quoted text here. Click to load it

Althought they did refuse chroot patch for a very long time even if a
lot of people asked, since OpenSSH 4.9, it does has chroot.

Relevent bits from OpenSSH 4.9 release notes:

New features:

  * Added chroot(2) support for sshd(8), controlled by a new option
    "ChrootDirectory". Please refer to sshd_config(5) for details, and
    please use this feature carefully. (bz#177 bz#1352)
  * Linked sftp-server(8) into sshd(8). The internal sftp server is
    used when the command "internal-sftp" is specified in a Subsystem
    or ForceCommand declaration. When used with ChrootDirectory, the
    internal sftp server requires no special configuration of files
    inside the chroot environment. Please refer to sshd_config(5) for
    more information.

Re: Openssh5 Chrootdirectory ?!

Hugo Villeneuve wrote:
Quoted text here. Click to load it

*GREAT*. I'm going to have to try this, although I'm dealing with RHEL, not
Fedora right now. If it's effective, it might be coupled with Subversion
services, which suffer in security terms from using local file systems (which
requires local shell), svn+ssh (which had the lack of chroot security issues
in spades), or HTTP/HTTPS (which store your Subversion password in local
clear-text, at least for Subversion source-code built command line clients).

That mess left a very bad taste in my mouth for the 'your server should be
safe against local users!!!' approach to securing services.

Now, if I can find a decent GUI to allow management of a set of SSH keys for a
shared account for services such as Subversion 'svn+ssh' tunneling, I'll be
cooking with gas.

Site Timeline