On Fri, Feb 28, 2003 at 10:06:29PM -0500, Leland T. Snyder wrote: > The reply I got told me to use a patch of OpenSSH that implements > chroot jail if a key file exists in the home directory of the login > used.
Close. It checks if the user's home in the password database includes the sequence /./ -- this sequence is essentially a no-op everywhere, so it is pretty safe for them to use it. There is also a pam_chroot module. I've suggested the use of this module instead of the chroot openssh patch to several people, and the only one who tried it out didn't get it to work. Heh. > Q1> If the first line of my /etc/profile traps and ignores all events > (including all user generated break/terminate events). Is there still a way > to break before the first line of /etc/profile as a user?? This is a race condition, one I strongly avoid you play. Many people have experienced breaking out of their confined shell scripts with well-timed interrupts. > I imagine I can bypass the whole patching of OpenSSH I strongly recommend the patch approach. The patch is small, clean, easy to read, and should integrate painlessly into whatever package of OpenSSH you're running on your system. chroot environments are difficult to get right. Doing it in a shell script is asking for trouble. Someone else has already went to the trouble of patching OpenSSH to do it properly, and the chrootssh patch has had some review of the final product by interested people. And, as a final thought -- bind mounting can help. the kernel's automount daemon can help. And you don't want /proc or any setuid root programs available in the chroot, as root typically can break out of chroot without too much hassle. -- Too bad life doesn't have a :q! command.
pgp00000.pgp
Description: PGP signature
