Openssh5 Chrootdirectory ?! - SSH

This is a discussion on Openssh5 Chrootdirectory ?! - SSH ; I from paris ! I've intalled the new openssh 5.0 ! ... i just discovered chroot , i read many howtos on how chroot works. There are many howtos about how to input a new shell whitin a chrooted envirnonnement ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Openssh5 Chrootdirectory ?!

  1. Openssh5 Chrootdirectory ?!

    I from paris !
    I've intalled the new openssh 5.0 ! ... i just discovered chroot , i
    read many howtos on how chroot works. There are many howtos about how
    to input a new shell whitin a chrooted envirnonnement .. but none with
    the new openssh !
    i'would like to now if someone could help me implemanting bash within
    this jail !
    i've already manage to use sftp, and my user is well chrooted in his
    homedirectory !

    well ... if anyone can show me the way ... (:

    Thanks.
    Lx.

  2. Re: Openssh5 Chrootdirectory ?!

    yanaski@gmail.com wrote:
    > I from paris !
    > I've intalled the new openssh 5.0 ! ... i just discovered chroot , i
    > read many howtos on how chroot works. There are many howtos about how
    > to input a new shell whitin a chrooted envirnonnement .. but none with
    > the new openssh !
    > i'would like to now if someone could help me implemanting bash within
    > this jail !
    > i've already manage to use sftp, and my user is well chrooted in his
    > homedirectory !
    >
    > well ... if anyone can show me the way ... (:
    >
    > Thanks.
    > Lx.


    Welcome to the land of philosophy and unsupported features. There have been a
    number of patches to OpenSSH published to support this, but the maintainers
    have *NEVER* accepted them into the main codeline. It's not trivial to set up:
    you need to add the patches, which typically involving setting a user's home
    directory to use a '/./' to designate where the root of the chroot cage goes,
    and and install a small environment there, capable of actually running SSH
    binaries. It's not supported in OpenSSH, previous discussions have shown that
    it never *will* be supported unless there's a big change in the set of
    maintainers or their coding practices, and

    This is precisely why I tell people who need a secure file-transfer repository
    to simply use WebDAV over HTTPS. If you really need chroot for OpenSSH, there
    are a number of guidelines on how to set it up. The set at
    http://blog.wanderinglost.ca/?p=9 seems quite legible.

  3. Re: Openssh5 Chrootdirectory ?!

    Nico Kadel-Garcia wrote:

    > yanaski@gmail.com wrote:
    > > I from paris !
    > > I've intalled the new openssh 5.0 ! ... i just discovered chroot , i
    > > read many howtos on how chroot works. There are many howtos about how
    > > to input a new shell whitin a chrooted envirnonnement .. but none with
    > > the new openssh !
    > > i'would like to now if someone could help me implemanting bash within
    > > this jail !
    > > i've already manage to use sftp, and my user is well chrooted in his
    > > homedirectory !
    > >
    > > well ... if anyone can show me the way ... (:
    > >
    > > Thanks.
    > > Lx.

    >
    > Welcome to the land of philosophy and unsupported features. There have been a
    > number of patches to OpenSSH published to support this, but the maintainers
    > have *NEVER* accepted them into the main codeline. It's not trivial to set up:
    > you need to add the patches, which typically involving setting a user's home
    > directory to use a '/./' to designate where the root of the chroot cage goes,
    > and and install a small environment there, capable of actually running SSH
    > binaries. It's not supported in OpenSSH, previous discussions have shown that
    > it never *will* be supported unless there's a big change in the set of
    > maintainers or their coding practices, and


    Althought they did refuse chroot patch for a very long time even if a
    lot of people asked, since OpenSSH 4.9, it does has chroot.

    http://marc.info/?l=openbsd-announce...7348226977&w=2

    Relevent bits from OpenSSH 4.9 release notes:

    New features:

    * Added chroot(2) support for sshd(8), controlled by a new option
    "ChrootDirectory". Please refer to sshd_config(5) for details, and
    please use this feature carefully. (bz#177 bz#1352)
    * Linked sftp-server(8) into sshd(8). The internal sftp server is
    used when the command "internal-sftp" is specified in a Subsystem
    or ForceCommand declaration. When used with ChrootDirectory, the
    internal sftp server requires no special configuration of files
    inside the chroot environment. Please refer to sshd_config(5) for
    more information.





  4. Re: Openssh5 Chrootdirectory ?!

    Hugo Villeneuve wrote:
    > Nico Kadel-Garcia wrote:
    >
    >> yanaski@gmail.com wrote:
    >>> I from paris !
    >>> I've intalled the new openssh 5.0 ! ... i just discovered chroot , i
    >>> read many howtos on how chroot works. There are many howtos about how
    >>> to input a new shell whitin a chrooted envirnonnement .. but none with
    >>> the new openssh !
    >>> i'would like to now if someone could help me implemanting bash within
    >>> this jail !
    >>> i've already manage to use sftp, and my user is well chrooted in his
    >>> homedirectory !
    >>>
    >>> well ... if anyone can show me the way ... (:
    >>>
    >>> Thanks.
    >>> Lx.

    >> Welcome to the land of philosophy and unsupported features. There have been a
    >> number of patches to OpenSSH published to support this, but the maintainers
    >> have *NEVER* accepted them into the main codeline. It's not trivial to set up:
    >> you need to add the patches, which typically involving setting a user's home
    >> directory to use a '/./' to designate where the root of the chroot cage goes,
    >> and and install a small environment there, capable of actually running SSH
    >> binaries. It's not supported in OpenSSH, previous discussions have shown that
    >> it never *will* be supported unless there's a big change in the set of
    >> maintainers or their coding practices, and

    >
    > Althought they did refuse chroot patch for a very long time even if a
    > lot of people asked, since OpenSSH 4.9, it does has chroot.
    >
    > http://marc.info/?l=openbsd-announce...7348226977&w=2
    >
    > Relevent bits from OpenSSH 4.9 release notes:
    >
    > New features:
    >
    > * Added chroot(2) support for sshd(8), controlled by a new option
    > "ChrootDirectory". Please refer to sshd_config(5) for details, and
    > please use this feature carefully. (bz#177 bz#1352)
    > * Linked sftp-server(8) into sshd(8). The internal sftp server is
    > used when the command "internal-sftp" is specified in a Subsystem
    > or ForceCommand declaration. When used with ChrootDirectory, the
    > internal sftp server requires no special configuration of files
    > inside the chroot environment. Please refer to sshd_config(5) for
    > more information.


    *GREAT*. I'm going to have to try this, although I'm dealing with RHEL, not
    Fedora right now. If it's effective, it might be coupled with Subversion
    services, which suffer in security terms from using local file systems (which
    requires local shell), svn+ssh (which had the lack of chroot security issues
    in spades), or HTTP/HTTPS (which store your Subversion password in local
    clear-text, at least for Subversion source-code built command line clients).

    That mess left a very bad taste in my mouth for the 'your server should be
    safe against local users!!!' approach to securing services.

    Now, if I can find a decent GUI to allow management of a set of SSH keys for a
    shared account for services such as Subversion 'svn+ssh' tunneling, I'll be
    cooking with gas.

+ Reply to Thread