OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Skip Carter (skiptaygeta.com)
Date: Mon Oct 22 2001 - 13:14:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > On Sat, 20 Oct 2001, Postmaster wrote:
    > > Does any body know to chroot openssh service ?
    >
    > Generally chroot defeats the purpose of OpenSSH. With
    > OpenSSH/SSH/Telnet/rsh/etc, you want to be able to log in and use the
    > system. For administrative purposes, it would be useless if root didn't
    > have access to the file system. You might as well just shut off OpenSSH
    > completely. If you're in a chroot-jail, there's not much you can
    > administer except the OpenSSH daemon.

      I would have to respectfully disagree with this. It can make a lot of sense
      to chroot ssh sessions. With the use of the PAM module pam_chroot, you can
      easily chroot certain users and not others (so, for example admins would
      not get chrooted and ordinary shell account users would be).

      I have gotten OpenSSH (2.2.9p2) to work with chroot on Linux
      with the following /etc/pam.d/sshd file:

    #%PAM-1.0
    #
    auth required /lib/security/pam_warn.so
    auth required /lib/security/pam_pwdb.so shadow
    auth required /lib/security/pam_nologin.so
    account required /lib/security/pam_pwdb.so
    password required /lib/security/pam_pwdb.so shadow use_authtok md5
    session required /lib/security/pam_chroot.so debug
    session required /lib/security/pam_pwdb.so

      I used the package 'jail' ( http://www.gsyc.inf.uc3m.es/~assman/jail/ )
      to set up the chrooted environment.

    -- 
     Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
     Taygeta Scientific Inc.        INTERNET: skiptaygeta.com
     1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
     Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html