On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne <byrnejb@xxxxxxxxxxxxx> wrote:
You mention two problems:
1. "all or nothing setting"
2. "copy all of the requisite system utilities"
As for #1, you could run two separate SSH daemons (using different
ports), so that only 1 has the chroot option. Here's a discussion about
how to run two separate SSH daemons:
http://www.DaleDellutri.com/prog.html
As for #2, I don't understand how the fact that the system is remotely
managed makes copying the files "not a viable alternative". Do you
not have root access to the server? (I'm not criticising, I simply don't
understand.)
I am also interested in the answers to these questions.
Thank you very much for the information for I was not aware of this.
On Wed, February 3, 2010 09:48, Ned Slider wrote:
> James B. Byrne wrote:
>> Note: I am digest subscriber so if you could copy me directly on
>> any reply to the list I would appreciate it very much.
>>
>
> <snip>
>
>> After a modest amount of research we decided that the
>> best answer was to use a more recent version of OpenSSH
>> (5.3p1)that supports chroot as a configurable option.
>>
>
> I've not tested it, but I believe the chroot stuff was backported
> some while ago:
>
Unfortunately, having tested the CentOS stock sshd server I discover
that this back-port is very similar to that of the sftponly hack of
several years ago. It is not the configurable chroot of
OpenSSH-5.3. To begin with, it very much appears from the
documentation as if this is an all or nothing setting; if it is on
then all ssh users are chrooted. Further, to use this feature with
interactive sessions one must copy all of the requisite system
utilities into directories under the chroot directory.
(For an interactive session this requires at least a shell,
typically sh(1), and basic /dev nodes such as null(4), zero(4),
stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)
This is not a viable alternative since the system is remotely managed.
You mention two problems:
1. "all or nothing setting"
2. "copy all of the requisite system utilities"
As for #1, you could run two separate SSH daemons (using different
ports), so that only 1 has the chroot option. Here's a discussion about
how to run two separate SSH daemons:
http://www.DaleDellutri.com/prog.html
As for #2, I don't understand how the fact that the system is remotely
managed makes copying the files "not a viable alternative". Do you
not have root access to the server? (I'm not criticising, I simply don't
understand.)
So, I am left still seeking answers to my original questions.
disabling selinux support in the sshd daemon, to get OpenSSH-5.3
1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?
2. If so, then how is this accomplished?
3. If not, then is there anything else that I can do, besides
chroot to work with SELinux?
I am also interested in the answers to these questions.
--
Dale Dellutri
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos