Good Morning All, Attached is a full patch [or so I hope] enabling chroot support for sshd. I know varied opinions about chroot exist among the masses; however, I continue to believe that until something far outside the scope of openssh tackles the sandbox issue, the role of enforcer will continue to be with the daemon. This patch is based on a previous work by John Furman as well as Eric Johnson. I've been sitting on this for a month or two and have been running it sucessfully for about the same amount of time. This patch assumes: The ~username/chome directory exists with owner uid=root,gid=root [the directory name is configurable via sshd_config]. A proper jail has been setup underneath. Unfortunately, syslogin_perform_logout is broken, as I'm not sure how to handle this [securely] as after the chroot, the file is no longer accessible. This patch does work with privilege separation. This patch requires a binary for scp/sftp-server to be in the proper locations in each jail as well. You can chrootAll with exceptions or chroot none with a list of chroot'ed users. If your're concerned with scp/sftp only rssh is still your solution. [http://www.pizzashack.org/rssh] A web page with the patch is also available: http://majikal.dyn.dhs.org/projekts/openssh_chroot_patch/ Problems/Complaints/Suggestions/Additions can be sent to me at this address. Cheers, nick -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: chroot.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030103/6ef03ef4/attachment.ksh -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030103/6ef03ef4/attachment.bin