RE: chroot, scp and security on RedHat 8.0

• Previous message: Jeff Lane: "Availability of Sendmail fix"
• Maybe in reply to: Leland T. Snyder: "chroot, scp and security on RedHat 8.0"
• Next in thread: Fabian Bieker: "Re: chroot, scp and security on RedHat 8.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Stephen Andrew <Andrew.Stephen@nzpost.co.nz>
To: focus-linux@securityfocus.com
Date: Thu, 6 Mar 2003 11:22:22 +1300 

----Original Message----
From: Seth Arnold [mailto:sarnold@wirex.com]
Sent: Wednesday, 5 March 2003 9:04 AM
To: focus-linux@securityfocus.com
Subject: Re: chroot, scp and security on RedHat 8.0

> I strongly recommend the patch approach. The patch is small, clean,
> easy to read, and should integrate painlessly into whatever package of
> OpenSSH you're running on your system.
>
> chroot environments are difficult to get right. Doing it in a shell
> script is asking for trouble. Someone else has already went to the
> trouble of patching OpenSSH to do it properly, and the chrootssh patch
> has had some review of the final product by interested people.

Another option I would suggest looking at is the scponly shell:

        http://www.sublimation.org/scponly/

I have used chroot patched OpenSSH in the past but believe this to be a
cleaner and more manageable solution.

-- 
Andrew
This email with any attachments is confidential and may be subject to legal
privilege.  If it is not intended for you please reply immediately, destroy
it and do not copy, disclose or use it in any way.  

• Previous message: Jeff Lane: "Availability of Sendmail fix"
• Maybe in reply to: Leland T. Snyder: "chroot, scp and security on RedHat 8.0"
• Next in thread: Fabian Bieker: "Re: chroot, scp and security on RedHat 8.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: sftp server with chrootdirectory setup ... After the confusing and limited 'chroot' utilities of PrivSep, which actively destabilized OpenSSH on many systems and provided no user-visible difference, the successful use of such a working chroot capability is a good thing. ... This was a problem for many years, and I'm delighted to see the features made available in this apparently effective fashion. ... (comp.security.ssh) Re: is there a market waiting to be discovered? ... Currently I am interested in chroot feature and it ... > be lots of patches for openssh but it looks like a mess out there. ... > not just chroot but there could well be other features in ssh.com ... (comp.security.ssh) Re: Good secure file transfer, was Re: How safe are FTP servers? ... To avoid that, avoid SSH, or chroot it (which is well ... chrooting OpenSSH is possible. ... The chroot option in OpenSSH has nothing to do with restricting users ... (comp.os.linux.security) Re: ssh and /etc/group ... What OS are you using and what version of SSH? ... login name, shell, UID and GID from the passwd file information, obtained ... First things first: replace with OpenSSH. ... ssh-2.2.0 as under OpenSSH with the 2.9.x chroot patch? ... (comp.security.ssh) Re: chroot, scp and security on RedHat 8.0 ... > chroot jail if a key file exists in the home directory of the login ... instead of the chroot openssh patch to several people, ... (Focus-Linux)