On Sun, 2002-03-31 at 05:24, Jon McCain wrote: > I've been playing around with the scp and sftp components of putty and > noticed what I consider a security hole. Winscp does the same thing. > The user can change to directories above their home. Is there a way to > chroot them like you can in an ftp config file? I don't see anything in > the sshd config files. If you can't, how can I disable the scp > functionality? I'm not talking about scp from the linux box. The users > don't have shell access so that's not a problem. I'm referring to > remote people using a scp client to access my linux machine. You can > disable sftp ability by removing the sftp-server program but the scp > server part seems to be part of sshd.
There is a chroot patch for SSH. You can find it in the Bug tracking system (I added it there a few weeks ago). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=139047&repeatmerged=yes If you apply that patch to your SSHd and modify the /etc/passwd file by using the special token '/./' in the user's homedir he will be chrooted at the token. Example: joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash Now joeuser will be chrooted to /home/joe This works for SSH and SCP / SFTP etc of course. Mark Janssen > > I did not see anything about this issue on the openssh web site. > Anybody got any suggestions? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Mark Janssen Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT E-mail: mark(at)markjanssen.nl / maniac(at)maniac.nl GnuPG Key Id: 357D2178 Web: Maniac.nl Unix-God.[Net|Org] MarkJanssen.[com|net|org|nl] SyConOS.[com|nl] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]