I've been trying to get openssh to play nicely with chroot()'ed
accounts (on Red Hat Linux 7.1), but so far, I haven't had much
success.
I can stick this line in /etc/pam.d/sshd:
session required /lib/security/pam_chroot.so debug onerr=fail
For slogin, this works great. But scp and sftp don't apply the
chroot, because they don't invoke do_pam_session().
Even worse, I can't disable sftp access for chroot()'ed accounts
without disabling it for everyone. (Using the "command" option in the
authorized_keys2 file will break scp, but sftp will still work.)
I looked at Ricardo Cerqueira's contrib/chroot.diff patch. However,
it only seems to apply to pam sessions. Even if that weren't the
case, the "/./" hack won't permit me to locate the user's
~/.ssh
directory (the one that matters; not the one the user sees after the
chroot() call has taken place) in a place where they don't have access
to it.
Is there some easy way to get openssh to work with chroot()'ed
accounts? Something I've missed, perhaps?
Assuming I haven't overlooked something, I was considering adding a
"ChrootConfig" option to the sshd_config file. E.g.:
ChrootConfig /etc/security/chroot.conf
This would function in the same way as pam_chroot (each line in the
file is of the form "username directory", where "username"
is a
regular expression, and "directory" is the directory to which to
chroot() if the regular expression matches. The chroot() call would
occur just before the setuid/setgid calls.
Thoughts?
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA