[TriLUG] does anyone know the correct procedures to

Mike Johnson mike at enoch.org
Mon Nov 4 18:10:54 EST 2002


> On Sun, 3 Nov 2002, Ben Simpson wrote:
> > chroot an ftp and or ssh server so that user can't just cd to the real "/"

First, what -exactly- are you trying to do?  Are you trying to allow
users to authenticate and get a login shell?  Are you trying to allow
sftp and scp?  What are your needs?

As for ftpd, which server are you using?
For WU-FTPD: http://www.landfield.com/wu-ftpd/docs/guest-howto.html
For ProFTPD: http://www.proftpd.org/docs/faq/proftpdfaq-5.html#ss5.12

There's others, Google is your friend.

Matthew Todd [matthew.todd at alumni.duke.edu] wrote:
> Hi Ben,
> 
> I sort of did this for an ssh (& thus, sftp) server a few months ago.
> 
> These pages were helpful:
> http://mail.incredimail.com/howto/openssh/
> http://ulf.zeitform.de/sshchroot/
> 
> Back then, I got the impression that this was something of a black art.
> These kinds of patches had been rejected for the main OpenSSH development
> tree, and I'm not sure if any ever made it in.

It's not so much a black art as it is something that should be done
outside of the ssh server.  I used to subscribe to the idea of doing the
chroot in sshd, but after it became a pain in the ass to maintain the
patch (yes, mine was one of the rejected patches), and after reading the
arguments, I've come to the conclusion that it's better done in the
shell.

I use rssh as my shell of choice, hacked a bit to add the additional
commands that I need:
http://pizzashack.org/rssh/

Mike
-- 
"Would you like to take advantage of wiretap Wednesdays?" 
     -- Fed on Sealab 2021

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20021104/1888ffa4/attachment.pgp>


More information about the TriLUG mailing list