Re: Chrooting Openssh

From: Zow (zow@presume.llnl.gov)
Date: 10/22/01


Message-Id: <200110222106.OAA05464@smtp-1.llnl.gov>
To: Charles Clancy <security@xauth.net>
Subject: Re: Chrooting Openssh 
Date: Mon, 22 Oct 2001 14:06:51 -0700
From: "Zow" Terry Brugger <zow@presume.llnl.gov>


> On Sat, 20 Oct 2001, Postmaster wrote:
> > Does any body know to chroot openssh service ?
>
> Generally chroot defeats the purpose of OpenSSH.

Not necessarily - it depends on your policy. If all administration is to be
done locally and all remote users should be isolated from the real system,
then this is a valid mechanism. This would be useful for securing a system
like SourceForge that provides accounts to every Tom, Dick and Sally from the
Internet, such that they can compile on different platforms.

I should also note that it's bad practice to allow root to login directly via
ssh. Tis much better to require the admin to ssh to a user account and su from
there, although that scheme will not work if SSH is chroot'ed either.

Terry

import StandardDisclaimer;