Hello, Willy.

> Is there any chance of (work going on) implementing chroot in sshd?
> (At least when using only sftp).
> Like the ChRootGroups and ChRootUsers in ssh2 (sshd2_config).
> (Because I prefer using the sshd in base).

SFTP chroot support is easy but with a possible security flaw:

Apply the following patch at the following URL to sftp-server.c:
http://www.informatik.tu-cottbus.de/~cnoack/openbsd/

In order to make the chroot work, you need to suid sftp-server:

-r-sr-xr-x  1 root  bin  32768 May 17  2004 /usr/libexec/sftp-server

To enable chroot at SFTP for a user (no ssh interactive login then),
alter his useraccount to use the following properties:
- homedir: /folder/to/content/./
- shell: /usr/libexec/sftp-server

The /./ postfix is the indicator for sftp-server to chroot the user,
all other users without /./ are handled as usual. Then the user can
login via SFTP and is chrooted to /folder/to/content

Christian Noack

Reply via email to