Re: Chrooting Openssh

• Previous message: Peter H. Lemieux: "Re: Identd DoS Attacks"
• Maybe in reply to: Postmaster: "Chrooting Openssh"
• Next in thread: Charles Clancy: "Re: Chrooting Openssh"
• Reply: Charles Clancy: "Re: Chrooting Openssh"
• Reply: Mike Johnson: "Re: Chrooting Openssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200110221814.f9MIEiCw005668@mira.taygeta.com>
To: Charles Clancy <security@xauth.net>
Subject: Re: Chrooting Openssh 
Date: Mon, 22 Oct 2001 11:14:44 -0700
From: Skip Carter <skip@taygeta.com>

> On Sat, 20 Oct 2001, Postmaster wrote:
> > Does any body know to chroot openssh service ?
>
> Generally chroot defeats the purpose of OpenSSH. With
> OpenSSH/SSH/Telnet/rsh/etc, you want to be able to log in and use the
> system. For administrative purposes, it would be useless if root didn't
> have access to the file system. You might as well just shut off OpenSSH
> completely. If you're in a chroot-jail, there's not much you can
> administer except the OpenSSH daemon.

  I would have to respectfully disagree with this. It can make a lot of sense
  to chroot ssh sessions. With the use of the PAM module pam_chroot, you can
  easily chroot certain users and not others (so, for example admins would
  not get chrooted and ordinary shell account users would be).

  I have gotten OpenSSH (2.2.9p2) to work with chroot on Linux
  with the following /etc/pam.d/sshd file:

#%PAM-1.0
#
auth required /lib/security/pam_warn.so
auth required /lib/security/pam_pwdb.so shadow
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_pwdb.so shadow use_authtok md5
session required /lib/security/pam_chroot.so debug
session required /lib/security/pam_pwdb.so

  I used the package 'jail' ( http://www.gsyc.inf.uc3m.es/~assman/jail/ )
  to set up the chrooted environment.

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip@taygeta.com
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html

• Previous message: Peter H. Lemieux: "Re: Identd DoS Attacks"
• Maybe in reply to: Postmaster: "Chrooting Openssh"
• Next in thread: Charles Clancy: "Re: Chrooting Openssh"
• Reply: Charles Clancy: "Re: Chrooting Openssh"
• Reply: Mike Johnson: "Re: Chrooting Openssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: is there a market waiting to be discovered? ... Currently I am interested in chroot feature and it ... > be lots of patches for openssh but it looks like a mess out there. ... > not just chroot but there could well be other features in ssh.com ... (comp.security.ssh) Re: Good secure file transfer, was Re: How safe are FTP servers? ... To avoid that, avoid SSH, or chroot it (which is well ... chrooting OpenSSH is possible. ... The chroot option in OpenSSH has nothing to do with restricting users ... (comp.os.linux.security) Re: ssh and /etc/group ... What OS are you using and what version of SSH? ... login name, shell, UID and GID from the passwd file information, obtained ... First things first: replace with OpenSSH. ... ssh-2.2.0 as under OpenSSH with the 2.9.x chroot patch? ... (comp.security.ssh) Re: chroot, scp and security on RedHat 8.0 ... > chroot jail if a key file exists in the home directory of the login ... instead of the chroot openssh patch to several people, ... (Focus-Linux) Re: chroot() breaks syslog() ? ... or would that just defeat the whole purpose of chroot? ... IMHO, devfs in chroot environment, is defeating the purpose ... (Linux-Kernel)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint