You can chroot SSH by applying a patch to the OpenSSH source and the rebuilding. You still have to run ldd to identify the needed files and copy those to the chrooted environment. I don't know of any way around this.
Then what I've done in the past is, once you have the chrooted SSH user, you add 'exit' to the top of the user's profile, make that and the parent directory owned by another user (root, sysadmin, whatever) - so that the user can't overwrite the profile. When that's in place, the user can sftp into the box but cannot get a shell and they are chrooted into the directory you set up. It's a pretty quick setup. Even with having to run the ldd and copy the libraries, it's probably less than an hour. Here's a good link to a doc explaining the process step by step: http://www.netadmintools.com/art294.html . >>> "McDougall, Marshall (FSH)" <[EMAIL PROTECTED]> 12/09/05 6:05 AM >>> I apologize if this is OT. I have a developer who needs access to /u/l/a/htdocs/his_project_documentation. I don't want to give him a shell account because he only needs to dump some online manuals in this directory. I also don't want him to be able to navigate the file system. >From what I have seen, If I create a user with no shell account, sftp will not work. It fails with: Warning: ssh_packet_wrapper_input: invalid packet received: len 1416128887 closing the offending input channel. If I create a user with the home drive pointing to /u/l/a/htdocs/his_project_documentation, all of the dot files get dumped there and they can still navigate the filesystem. I have installed rssh from pizzashack.org and have limited them to just SFTP, but again they can still navigate the filesystem. If I understand the CHROOT jail process properly, I would need to copy various system binaries to the chrooted area and I don't want to do that. So my burning question is: How do I give this user sftp access only to a very limited area of my system? Any assistance appreciated. Regards, Marshall
