Greetings Nico, > Sent: Monday, June 02, 2014 at 2:49 PM > From: "Nico Kadel-Garcia" <nkadel@xxxxxxxxx> > To: daggs <daggs@xxxxxxx> > Cc: "openssh-unix-dev@xxxxxxxxxxx" <openssh-unix-dev@xxxxxxxxxxx>, "Ángel González" <keisial@xxxxxxxxx> > Subject: Re: sftp session disconnects right after passwd enter > > On Mon, Jun 2, 2014 at 1:17 AM, daggs <daggs@xxxxxxx> wrote: > > > you are both correct, the first bug was that the path given to the binary didn't exists, after changing it to the correct path, I was able to connect without the chrootdirectory defined. > > but it seems that chrootdirectory can be used only with internal-sftp so I've modified it and it works. > > > > I do wonder why chrootdirectory can work only with internal-sftp > > > > thanks to all of the help. > > Chroot cages are tricky. To use the specified binary, the full set of > libraries and "devices" would have to be available in the chroot cage, > at least as implemented in OpenSSH. It's also why the usernames and > group memberships don't show up for the chrooted clients unless there > is a copy of /etc/passwd and /etc/group in the chroot subdirectory > with the relevant user and group entries. The chrooted programs are > really, rally not supposed to be able to reach outside of that chroot > cage for *any* other filesystem based resources. > > It's not an absolute protection: look up "chroot cage breaking" for > examples of how people have historically escaped the cage. But I've > found it to be a useful restriction to prevent casual system browsing > by people I do *not* want looking at other user's home directories or > system contents. > > Unfortunately, I also find the restrictions for SFTP to be burdensome. > To set up multiple chroot cages for multiple users, one has to either > make user specific sshd_config settings, or provide a "shared" top > level root owned chroot cage that breaks the user isolation that is > part of the whole point of chroot cages. That's why I use vsftpd and > FTPS, instead. While it may not be as robustly built as OpenSSH's SFTP > chroot, it's one heck of a lot easier to manage and configure, and can > play very nicely in environments where people also have shell access. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > I've tried vsftpd but I didn't succeeded in configuring to do what I want (chroot env for a a specific user which connects via sftp by providing key for initial authentication followed by password when the origin is outside of a local lan).\ that is why I decided to go with sftp. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
