Re: chroot and OpenSSH

[Craig Sanders <cas@taz.net.au>]

On Fri, Aug 03, 2001 at 02:49:54PM -0400, Eirik Dentz wrote:
> I went back to the OpenSSH mailing list and did some more searching
> and it looks like the chroot patch did make it into the Linux
> port. I just downloaded the source and it's in the contrib directory
> distributed with the source code.  I haven't done it yet, but it
> should be just a matter of applying the patch, compiling patched
> source, setting the configuration directive, and adding the
> appropriate /bin and /lib directories users home directories.

if you can't get it to work, then you can set the user's shell to
/bin/rbash, which is a restricted bash shell. it won't let them cd
outside their home directory, or change their path, or execute any
programs that aren't in the restricted path.

it's not quite as secure as a chroot (they can still read and write
files anywhere in the filesystem as allowed by permissions), but it's
a lot more convenient to administer and doesn't take as much disk
space (you don't need to copy all the binaries and libraries under the
chroot).

see the bash documentation for details.

craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch