Restrict Directory Access

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi everyone,

I'm using SSH (Cygwin OpenSSH) to forward some ports from one machine
A to another machine B, and I would like to forbid someone on A to
have access to the whole directory structure on B. I would actually
like to restrict the access to one directory (jail).

I tried to make a chroot in ~.ssh/rc and also in /etc/sshrc: even
though I copied the necessary files (the ones asked for) to the target
directory this does not seem to work...

Can anyone help me?

Thanks in advance,

Re: Restrict Directory Access

I would like to add the following: If I put such a command in let's
say /etc/sshrc:
chroot "/home/jail"
I get this message:

It seems chroot exits by itself... What is going on? How can I solve
this problem, and then is there a way to forbid the user from exiting

Any help appreciated.


Re: Restrict Directory Access

Quoted text here. Click to load it

Setting up chroot jails for OpenSSH is..... painful. There's no code in the
main codeline to do it, and you'll need to apply the patches from There are also some packages there for building
chroot jails. The "give the user a chroot login shell script" tools used by are, frankly, amazingly stupid and evidence that every competent
programmer involved in actually creating SSH left the building years ago
because no one competent would bretend that a shell script used this way can
be secured.

If you're in the Windows world, or in a world where the users can use some
of the nicer modern GUI's, you might consider using WebDAV on top of Apache
with SSL to provide read/write access to a restricted directory. I'm doing
so quite successfully to avoid the passwords-in-the-clear problem of FTP,
and for sites whose FTP proxies block their access to the FTP site.

Re: Restrict Directory Access

Thanks very much Nico, I managed to do what I wanted with your help.

I compiled the patched source tarball available at on cygwin, and I can now keep my users in
cages. I also use RSA auth and port forwarding: everything works


Re: Restrict Directory Access

Richard wrote:
Quoted text here. Click to load it

Nya-ha-ha! Keeps nasty little users in *cages*, yes we does! Lets 'em out
for sport, moo-ha-ha-ha!

Excuse me, it's been a long couple of months. My boss is retiring suddenly,
and we need a new senior sysgeek/manager rather badly. Anyone know really
competent ones in the Boston area looking for work they can send my way? The
pickings have been..... odd. Some good, some ridiculously under-qualified,
but people who are both technically proficient and managerially skilled are
fairly rare, most of that sort have already found work in the technical
field pick of the last year or retired, and I absolutely don't want the job.

Site Timeline