Hi, ssh v2.2.x comes with an utility called ssh-chrootmgr which is able to prepare certain accounts for chroot'ing. Also included is the ssh-dummy-shell which can be used as a replacement for the normal login shell; shell access is not possible with this dummy-shell, but sftp/scp-connections are (which is perfect for my needs). The problems with chroot'ing ssh are that you will need a statically built version of ssh in the chroot-environment; the usual ssh 2.0.x will *not* be statically built by default. "Classical" chroot'ing to a subdirectory with the appropriate libs, binaries and directories works with a normal ssh shell-connection but not with sftp/scp (for file transfers). For more information consult the ssh2-adminguid.pdf (chapter 3.6) which can be downloaded from www.ssh.fi . Regards, Boris --- On 21-Nov-00 Stiefenhofer, Marek ECOFIS wrote:
How to chroot standard login users:
You need a program as login shell, that does the following:
1.) Checks if called as login else exits 2.) checks if UID=0 (big security hole?!) 3.) call CHROOT 4.) sets UID=back to normal 5.) calls a standard shell
I've found a little c-program that implements all of this features except 1.) here: http://www.phirate.ethos.co.nz/dev/srsh/
Maybe someone will have a look at this and check if the UID=0 part offers standard users possibilitities to break into a root shell or something similar...
Marek Stiefenhofer
-----Urspr�ngliche Nachricht----- Von: Stiefenhofer, Marek ECOFIS Gesendet am: Montag, 20. November 2000 12:19 An: 'Gerd Bitzer'; 'suse-security@suse.com' Betreff: AW: [suse-security] Chroot ssh login
I know, but that's not sufficiant. rbash does not prevent from accessing files below your home-directory like: ls ~/../../etc
-----Urspr�ngliche Nachricht----- Von: Gerd Bitzer [mailto:gerd.bitzer@tesion.de] Gesendet am: Montag, 20. November 2000 12:13 An: Stiefenhofer, Marek ECOFIS Betreff: Re: [suse-security] Chroot ssh login
may be there's also another interesting possibility, socalled restricted shells. The user is then limited to its own homedirectory, as far as I know e.g. bash supports this mode with "bash -r". Maybe other shells also have this feature
"Stiefenhofer, Marek ECOFIS" wrote:
Hi,
I want to chroot user logins via telnet/ssh to their home directory. I guess this is a standard procedure, but I'm sort of stuck. I can't chroot the login shell of a standard user - only root can chroot.
Examples would be appreciated...
Kind regards,
Marek Stiefenhofer [...]