Re: rssh / scponly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 28.3.2011 05:53, Tom Diehl wrote:

> According to
> https://bugzilla.redhat.com/show_bug.cgi?id=440240 and
> http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was
> backported into rhel/centos 5 back in 2009-09-02.
> 
> In addition sshd_config(5) says the following:
> 
> Subsystem
>      Configures an external subsystem (e.g., file transfer daemon).
>      Arguments should be a subsystem name and a command (with optional
>      arguments) to execute upon subsystem request.
> 
>      The command sftp-server(8) implements the sftp file transfer subsystem.
>      Alternately the name internal-sftp implements an in-process sftp server.
>      This may simplify configurations using ChrootDirectory to force a different
>      filesystem root on clients.
> 
>      By default no subsystems are defined. Note that this option applies to
>      protocol version 2 only.
> 
> http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in
> setting this up.

Yes, it is possible to chroot with stock openssh in recent CentOS !

1. Unfortunately the Match directive is not backported, so the only
possibility is to chroot all users including root.
2. The chroot is not restricted to sftp. ssh is chrooted also.
3. All users are chrooted including root

I am aware of 2 possible methods to workaround this limitations:

Configure 2 ssh daemons, one chrooted for sftp and one default. The
chrooted sshd has to listen on another ip or port.

Or, alternatively (only one sshd needed)
ChrootDirectory %h
and change home for root to / (sounds nasty and it is ;-)

However you do it, the directory given to ChrootDirectory has to be
read-only for normal users. If it were writable the user could
manipulate the content of the chroot. Write access has to be restricted
to a subdirectory of ChrootDirectory.

-- 
Kind Regards, Markus Falb

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux