I have a RedHat 6.0 x86 server which is serving a number of minor things, which I wish to add shell access to. I'm currently running sshd and am quite happy with it, the exceptiong being that I am unable to make sshd perform a chroot for shell account users. I have been reading man pages and howto's, many of which discuss sshd or chroot, but never the two together. Is this not an option? Or an I missing the point? Mike.
I did something similar with telnetd by hacking login to accept an option that specified a directory to chroot to and specifying it via telnetd "-L" option. I suppose the same thing would work with ssh if you compiled with the "--with-login" option. Let me know if you'd like the (admittedly trivial) patch for login.c. Dave LaPorte -----Original Message----- From: Mike Bowie [mailto:mike@goforgold.com] Sent: Wednesday, April 19, 2000 3:51 PM To: linux-security@redhat.com Subject: [linux-security] ssh and chroot... I have a RedHat 6.0 x86 server which is serving a number of minor things, which I wish to add shell access to. I'm currently running sshd and am quite happy with it, the exceptiong being that I am unable to make sshd perform a chroot for shell account users. I have been reading man pages and howto's, many of which discuss sshd or chroot, but never the two together. Is this not an option? Or an I missing the point? Mike.
Mike Bowie wrote: : I have a RedHat 6.0 x86 server which is serving a number of minor things, which I wish to add shell access to. : : I'm currently running sshd and am quite happy with it, the exceptiong being that I am unable to make sshd perform a chroot for shell account users. : : I have been reading man pages and howto's, many of which discuss sshd or chroot, but never the two together. : : Is this not an option? Or an I missing the point? I think the most trivial option would be to use the "UseLogin yes" in sshd_config. /bin/login can handle chroot well, AFAIK. OTOH you will lose the RSA authentication ability then. The more clean, but hard way would be to extend the sshd-pam patch to allow chroot. -Yenya -- \ Jan "Yenya" Kasprzak <kas at fi.muni.cz> http://www.fi.muni.cz/~kas/ \\ PGP: finger kas at aisa.fi.muni.cz 0D99A7FB206605D7 8B35FCDE05B18A5E // \\\ Czech Linux Homepage: http://www.linux.cz/ /// \\\\ I could be wrong, of course. But I'm never wrong. -Linus ////