Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Oliver Fromme (ollisecnetix.de)
Date: Wed Jun 26 2002 - 18:34:43 CDT
Poul-Henning Kamp <phkcritter.freebsd.dk> wrote:
> Which reminds me that we should really tweak the code and put it in a
> jail instead of a chroot.
Slightly related ...
For a custom application I modified the sshd source to make
a jail() call right after the username had been transferred.
So user authentication already happens within the jail, using
the spwd.db inside the jail and so on. I added a config
option for sshd_config to specify jail parameters (chroot
directory, IP, hostname) per-user.
I had to do that because for certain reasons we weren't able
to run a separate sshd in each and every jail. Patching the
sshd source as described above enabled us to run just one
sshd on the machine. Of course, it also has disadvantages,
the largest ist that a user who logs in twice is actually in
two different jails (although they're the same chroot dir),
so he can't see nor kill his own processes running in the
other session. But that's something we can easily live with.
I considered subitting my patches, but to be honest, I wasn't
sure where to submit them. To the OpenSSH people? Nope, the
patches are clearly FreeBSD-specific. So submit them to the
FreeBSD people? I don't know.
Also, the patches are for openssh 2.9. I haven't looked at
the openssh 3.3 or 3.4 sources yet, but I fear that it will
be difficult to merge the patches there, and it's probably
impossible to use them with privsep enabled, because jail()
requires superuser priviledges, but the authentication is
performed as the sshd user when privsep is enabled. (Please
someone correct me if I'm wrong.)
Anyway. If anyone wants to look at my jail() patches for
sshd (openssh 2.9), I'll be happy to mail them or put them
up on some webpage. We use them in production for almost
a year now.
-- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way.
"All that we see or seem is just a dream within a dream" (E. A. Poe)
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message