[2339] in linux-security and linux-alert archive
[linux-security] Re: ssh and chroot...
daemon@ATHENA.MIT.EDU (Alex Belits)
Sat May 20 18:22:43 2000
Date: Thu, 18 May 2000 16:31:01 -0700 (PDT)
From: Alex Belits <abelits@phobos.illtel.denver.co.us>
To: Jan Kasprzak <kas@informatics.muni.cz>
cc: Mike Bowie <mike@goforgold.com>, linux-security@redhat.com,
recipient list not shown: ;
In-Reply-To: <20000509221118.E857@informatics.muni.cz>
Message-ID: <Pine.LNX.4.10.10005181624200.1381-100000@mercury>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-From: linux-security@redhat.com
On Tue, 9 May 2000, Jan Kasprzak wrote:
> I think the most trivial option would be to use the "UseLogin yes"
> in sshd_config. /bin/login can handle chroot well, AFAIK. OTOH you will
> lose the RSA authentication ability then.
>
> The more clean, but hard way would be to extend the sshd-pam
> patch to allow chroot.
Or, much easier, write a setuid shell wrapper that does chroot() and
chdir(), sets all uids back to the user's one and runs real shell from
chrooted environment. If wrapper will be configured as user's shell, and
user won't be allowed to change it from chrooted environment, user will
get chrooted environment, no matter how he will log in, yet all
authentication will be performed outside that environment.
--
Alex
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
