On Mon, Jun 2, 2014 at 7:17 PM, Damien Miller <djm@xxxxxxxxxxx> wrote:
> On Mon, 2 Jun 2014, Nico Kadel-Garcia wrote:
>
>> Unfortunately, I also find the restrictions for SFTP to be burdensome.
>> To set up multiple chroot cages for multiple users, one has to either
>> make user specific sshd_config settings
>
> that's incorrect
>
> mkdir -p /chroot/user_a/sftp /chroot/user_b/sftp
> chown user_a /chroot/user_a/sftp ; chown user_b /chroot/user_b/sftp
>
> and in sshd_config:
>
> ChrootDirectory /chroot/%u
> Subsystem sftp internal-sftp -d /sftp
Interesting, but But it's certainly not in any of the documentation in
the default OpenSSH for RHEL 6 or CentOS 6 which is still at OpenSSH
5.3p1. And it doesn't seem to work on that version. Building and
maintaining a backported OpenSSH system is a lot of work. I've done it
repeatedly, since my first work with SSH version 1 in 1996, and I
don't recommend it for the faint of heart or those without compelling
needs.
I'm also afraid that your command line arguments are vulnerable to
problems with individually set local 'umask' settings. I'd instead be
sure to set the permissions as clearly as possible. Using the Gnu
coreutils based "install" command, I would use:
id -u user_a && id -g user_a && \
install -d /chroot/user_a -m 0755 -o root -g root && \
install -d /chroot/user_a/sftp -m 0700 -o user_a -g user_a
id -u user_b && id -g user_b && \
install -d /chroot/user_b -m 0755 -o root -g root && \
install -d /chroot/user_b/sftp -m 0700 -o user_b -g user_b
And if scripting it, I'd make it report error conditions more
intelligently. I actually just went through tis with a test SFTP
server.
I'll look forward to a more recent version of OpenSSH that has the
"-d" option for the "Subsystem sftp internal-sftp" settings.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
