Hi Ehud,
Doing chmod +s /uusr/sbin/chroot will simply break the security on your
system. For example (as a non root user) do:
chroot / cat /etc/shadow.
Getting a root shell is left as an exersice to the reader.
Moshe Shemesh
Liraz-x
----- Original Message -----
From: "Ehud Karni" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, July 31, 2003 7:18 PM
Subject: Re: SSH Jail
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 31 Jul 2003 13:39:31 +0300 (IDT), Chaim Keren Tzion
<[EMAIL PROTECTED]> wrote:
> >
> > I am intending that sftp will be used for the file transfer. The problem
> > is that once I create the account that will use sftp it automatically
has
> > the ability to log in with ssh and wander around the system. I would
like
> > to limit the users ability to travel ouside of the home directoy and to
> > execute commands. I have tried to define the user with /dev/false as
it's
> > shell but then I can't log in.
>
> I read the answers to this question and I thing that they are in the
> wrong direction (changing the shell) or are too complicated (chroot
> the sshd - which need patch and compilation). Both of these solutions
> can be quite easily bypassed by port forwarding.
>
> You can force your user to use only one command by changing the
> ~<user>/.ssh/authorized_keys/2 key line (please read the sshd man page).
>
> I tested the following line:
> command="exec /usr/sbin/chroot /ulnx/ehud
sftp-server",no-pty,permitopen="dummy:9" <original public key line>
> which means:
> 1. Run the "/usr/sbin/chroot /ulnx/ehud sftp-server" command,
> ignoring the user actual command.
> 2. Don't allocate a pty.
> 3. The only port forwarding allowed is to "dummy" host (which does
> not exist on my system)
>
> I had several problems:
> 1. The chroot did not run for the user until I changed it permissions
> to +s (chmod +s /usr/sbin/chroot by root). When run in this way
> the specified command is run under the user id.
>
> 2. I had the usual chroot problems with dynamically linked programs.
> I had to create lib, lib/i686, usr and usr/lib and copy the
> necessary libraries (do ldd /usr/libexec/openssh/sftp-server to
> check what libraries are needed).
>
> Ehud.
>
>
> - --
> Ehud Karni Tel: +972-3-7966-561 /"\
> Mivtach - Simon Fax: +972-3-7966-667 \ / ASCII Ribbon Campaign
> Insurance agencies (USA) voice mail and X Against HTML Mail
> http://www.mvs.co.il FAX: 1-815-5509341 / \
> mailto:[EMAIL PROTECTED] Better Safe Than Sorry
> -----BEGIN PGP SIGNATURE-----
> Comment: use http://www.keyserver.net/ to get my key (and others)
>
> iD8DBQE/KU9SLFvTvpjqOY0RAtMdAJ4ynT1N63lzWp1XGUn7y4pq/yhtXACeK2PP
> NTEbs7E9YEn4+TBmI1boXqY=
> =r4oF
> -----END PGP SIGNATURE-----
>
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
