RE: [off-topic?] Chrooting ssh/telnet users?
There is a chroot patch for the potato openssh-1.2.3 source in /contrib
however it appears to be broken.
I have created a modified diff for the Debian package source which will
apply the patch correctly and build an ssh_1.2.3chroot1-9.3 package.
Email me if you would like the diff.
As has been well covered in this thread you will need to create a chroot
jail which has all the executables your chroot user requires as well as the
libraries the executables rely on. There are many ways to acheive this.
For a very small chrooted environment (i.e. bash, cp, scp, ls, mv etc.) I
generally create this manually by copying the executables into the new
structure then running ldd on them to identify the libraries.
For a larger chroot environment you may want to look at dbootstrap.
You will have to manually maintain your chroot (upgrading
executables/security updates) unless you install APT into the chroot. I
Andrew J. Stephen Phone +64 4 496 4484
Team Leader, Network Operations Mobile +64 25 582 304
New Zealand Post Fax +64 4 496 4914
"The important thing about standards is to have them."
-- Bruce Schneier, creator of the Twofish algorithm
> -----Original Message-----
> From: Javier Fernández-Sanguino Peña [mailto:firstname.lastname@example.org]
> Sent: Saturday, 27 October 2001 02:15
> To: email@example.com
> Subject: [off-topic?] Chrooting ssh/telnet users?
> I have been asked for this and I was trying to figure out how to do it
> (would document it later on in the Securing-Debian-Manual). So please,
> excuse me if you feel this is off-topic.
> The problem is, how can an admin restrict remote access from
> a given user
> (through telnet and/or sshd) in order to limit his "moves" inside the
> operating system.
> Chrooting the daemon is a possibility, but it's not tailored
> in a per-user
> basis but globally to all users (besides you need all the
> tools that users
> might want to use in the jail). I'm looking more into a
> jailed enviroment
> like proftpd's when you sed "DefaultRoot ~" (jails the user
> into his home
> directory but he's able to use all commands, without having
> to setup all
> the libraries in it).
> AFAIK, pam only allows to limit some user accesses (cores, memory
> limits..) not users "movement" in the OS
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact
This email with any attachments is confidential and may be subject to legal
privilege. If it is not intended for you please reply immediately, destroy
it and do not copy, disclose or use it in any way.