search for: chrootdirectory

Under "ChrootDirectory" there is a line that says, "This path, and all its components, must be root-owned directories that are not writable by any other user or group." When I first read this "all its components" seemed to mean that all directories and files within this directory must be root o...

Hello, First, a big thank you to the OpenSSH devs. _ /Problem Summary:/ _ Chroot and SELinux don't get along. This affects both the new (official) ChrootDirectory feature, as well as the older (3rd party) patch at http://chrootssh.sourceforge.net/. _ /History and repro:/ _ On March 21, 2008, Alexandre Rossi posted to this list with the subject: "*ChrootDirectory fails if compiled with SELinux support (whether or not using SELinux)*", and...

Hello, I'm aware of the fact that ChrootDirectory requires that the target directory is root-owned, and I think I've mostly understood why that is necessary, at least within the context of someone who has full shell access. However, I am wondering if that possibility for privilege escalation still exists with a configuration like this: Match...

Hello, I've tried many places, finally ending up here to ask my question: why is it so vital that the directory used with the ChrootDirectory directive is root-owned? Like many people I'm trying to use this in a webhosting environment where several users get sftp-only access to some directory, usually something like /home/user/web/part-of-website. I can be sure that there are no setuid binaries in /home, so that rules out some poss...

https://bugzilla.mindrot.org/show_bug.cgi?id=2289 Bug ID: 2289 Summary: arandom(4) as documented in sshd_config(5)?s ChrootDirectory option does not exist on all platforms Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bug...

https://bugzilla.mindrot.org/show_bug.cgi?id=1574 Summary: trailing white space on Forced Command within ChrootDirectory causes failure Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: b...

https://bugzilla.mindrot.org/show_bug.cgi?id=1564 Summary: non-accessible user's home directory not reported when ChrootDirectory=none Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: Jan.Pecha...

Hi, This is either a query or a feature request. I have a system where sftp users are chrooted using scponly, which while requiring much more setup than OpenSSH's internal-sftp method, has the useful feature of allowing an initial chroot to a subdirectory, typically the one used for file exchange. I've searched for a way to do the same thing with OpenSSH. So far haven't found it. If

https://bugzilla.mindrot.org/show_bug.cgi?id=2036 Priority: P5 Bug ID: 2036 Assignee: unassigned-bugs at mindrot.org Summary: Add %g user group name parameter for ChrootDirectory Severity: enhancement Classification: Unclassified OS: Linux Reporter: sue at pennine.com Hardware: ix86 Status: NEW Version: 6.0p1 Component: Miscellaneous Product: Portable OpenSSH Created attachment 218...

Hi, (please CC me as I'm not subscribed to the list) If compiled with SELinux support, OpenSSH 4.8 current cvs fails for accounts where the new ChrootDirectory option is active : debug1: PAM: establishing credentials debug3: PAM: opening session debug2: User child is on pid 1695 debug3: mm_request_receive entering debug1: PAM: establishing credentials debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/home/' debug3: saf...

Hi, According to the sshd_config manual page the option ChrootDirectory can be used to force a chroot:ed environment for the SSHD server. But as I understand the manual page this is a global setting and it is not possible to specify this per SSH subsystem. We are building a system where we need users to be able to log on from remote machines via SSH, but with the twea...

...tion and login works. I can change directories and put/get files. Also logging of the internal sftp-process works (created a /dev/log socket inside the chroot). As soon as I use the 'ls' command, nothing happens and the the process gets stuck. Listing files does work as soon as I remove the chrootdirectory directive. Configuration details: >From the end of the /etc/ssh/sshd_config: Subsystem sftp internal-sftp Match User p16012 ChrootDirectory /srv/www/xxxxx.de ForceCommand internal-sftp -l VERBOSE -f LOCAL6 I have created an additional socket for the rsyslog deamon insid...

https://bugzilla.mindrot.org/show_bug.cgi?id=1726 Summary: ChrootDirectory doesn't work with SE Linux Product: Portable OpenSSH Version: 5.3p1 Platform: Other URL: http://bugs.debian.org/556644 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd...

...And introducing another subfolder, would totaly mess up the directory structure of the webspace, since the user might only decide later on to add a new (S)FTP Account. So I would have to move around his directories. As I see it, in my case the only option would be to let the user write in his ChrootDirectory. I did read that this has some security implications, but maybe there is a way to work them out or somebody has a different proposal for my problem. I hope I didn't express myself to complicated. If so, feel free to ask for clarification! Any pointers are appreciated! Regards, Samy

I see that there is a new sshd_config in the latest updates. Since I have altered the original file, this one got installed as .rpmnew It has two changes: > #AddressFamily any So does this make it default to IPv4 only? > #ChrootDirectory none Chroot is now an option for SSH?

Sent from my iPhone Begin forwarded message: > From: Sue Spence <sue at pennine.com> > Date: 13 August 2012 08:02:08 GMT+01:00 > To: "susan.spence" <susan.spence at db.com> > Subject: ssh > >

...tion, in practice a single directory. The idea would be to allow file access to this directory with a passwordless public key, but keep rest of the users file accessible only with another, supposedly more secure key. I found a way to do this by running a separate sshd on a different port with 'ChrootDirectory /some-dir' and 'ForceCommand internal-sftp' configuration variables, but running two sshds is rather inelegent. Is there a way to force this kind of configuration to only some keys? If not, could the Match keyword be extended to match only certain keys, or even better, could a 'chro...

What is the intended behavior of the internal-sftp server when looking to resolve identity information for user via the nsswitch configured mechanisms? I am seeing different behavior between two packaged versions and am looking to understand what should be expected. Scenario: Utilizing a developed directory services plugin (dsplug), "ls" access on the sftp session fails with the

Hi I'm using Centos 5 with Openssh-5.0p1 installed (and OpenSSL 0.98b and Zlib 1.2.3-3). I've managed to get a chroot'd SFTP session using ChrootDirectory and the new built-in SFTP subsystem. However, when I use SSH to connect to the same account the session hangs rather than closing the connection. This happens whether or not I use /sbin/nologin /bin/false or even /bin/sh as the shell. I can chroot to the home directory as root and access th...

...d-bugs at mindrot.org ReportedBy: ombugr at mayoxide.com I'm reporting a problem that I've seen a few times by googling, and there doesn't seem to be a bug report on this yet. When setting up an SFTP-only server, Damien suggested in the OpenBSD journal to use a combination of ChrootDirectory and ForceCommand like this. I've added the sftp subsystem as well since it's required. Subsystem sftp internal-sftp ForceCommand internal-sftp ChrootDirectory /chroot The previous settings work well as documented. However, since internal-sftp doesn't do any logging by default, to ena...