Re: Chrooting Openssh

From: Bennett Todd (bet@rahul.net)
Date: 10/22/01


Date: Mon, 22 Oct 2001 09:41:34 -0400
From: Bennett Todd <bet@rahul.net>
To: Postmaster <postmaster@qsparks.com>
Subject: Re: Chrooting Openssh
Message-ID: <20011022094134.A17572@rahul.net>


2001-10-20-01:03:36 Postmaster:
> Does any body know to chroot openssh service?

Once upon a time, it was easy to set up chroot; just include copies
of all the programs you wanted to run in the chroot jail. Maybe one
or two would want a data file, you'd need to copy them in too, and
they'd give nice clear error messages telling you what you needed to
add.

These days, though, chrooting has gotten hard. To chroot openssh you
need to chroot the ability to fire up a login shell, which means the
whole PAM machinery, as well as enough of /dev for both the
networking and the pty support. You'll probably need enough of /etc
for the name service switcher, and cthulhu only knows what else.
Likely most of the shared libraries on the system, dozens or
hundreds of them.

I suspect the easiest way to chase this will be to find a project
somewhere that's packaging tools for doing vhosting by chrooting.
I'm afraid I don't have a link for you, but hopefully "virtual host"
and "chroot" as keywords into search engines will turn up something.

I tried to set up chrooted openssh recently, after a long fight I
eventually gave up. Linux has turned really nasty that way,
everything depends on a zillion other subsystems.

-Bennett