Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Skip Carter (skiptaygeta.com)
Date: Mon Oct 22 2001 - 13:14:44 CDT
> On Sat, 20 Oct 2001, Postmaster wrote:
> > Does any body know to chroot openssh service ?
> Generally chroot defeats the purpose of OpenSSH. With
> OpenSSH/SSH/Telnet/rsh/etc, you want to be able to log in and use the
> system. For administrative purposes, it would be useless if root didn't
> have access to the file system. You might as well just shut off OpenSSH
> completely. If you're in a chroot-jail, there's not much you can
> administer except the OpenSSH daemon.
I would have to respectfully disagree with this. It can make a lot of sense
to chroot ssh sessions. With the use of the PAM module pam_chroot, you can
easily chroot certain users and not others (so, for example admins would
not get chrooted and ordinary shell account users would be).
I have gotten OpenSSH (2.2.9p2) to work with chroot on Linux
with the following /etc/pam.d/sshd file:
auth required /lib/security/pam_warn.so
auth required /lib/security/pam_pwdb.so shadow
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_pwdb.so shadow use_authtok md5
session required /lib/security/pam_chroot.so debug
session required /lib/security/pam_pwdb.so
I used the package 'jail' ( http://www.gsyc.inf.uc3m.es/~assman/jail/ )
to set up the chrooted environment.
-- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skiptaygeta.com 1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html