|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Charles Clancy (security
xauth.net)Date: Mon Oct 22 2001 - 13:43:38 CDT
> > > Does any body know to chroot openssh service ?
> >
> > Generally chroot defeats the purpose of OpenSSH.
>
> I would have to respectfully disagree with this. It can make a lot of sense
> to chroot ssh sessions. With the use of the PAM module pam_chroot, you can
> easily chroot certain users and not others (so, for example admins would
> not get chrooted and ordinary shell account users would be).
If you're chrooting individual users, that's different than chrooting the
entire daemon process. With module described, the chrooting happens after
the user authenticates, which means any buffer-overflow attacks against
the SSH daemon itself would still be effective in giving an attacker
access to the entire filesystem.
If the goal of chrooting is to hinder the access of certain authenticated
users, then certainly chrooting makes sense; however, this is not specific
to OpenSSH and applies to anything giving someone access to the file
system (rsh, telnet, ftp, samba, etc).
If the goal of chrooting is to limit the effectiveness of buffer overflow
attacks (as many have done with BIND), then you have to chroot the entire
server processes, and it makes remote system administration difficult,
because even root is restricted to the new root.
-- t. charles clancy <> tclancy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]