[TriLUG] does anyone know the correct procedures to

Ben Simpson ben at silextech.com
Tue Nov 5 07:38:27 EST 2002


Well, I guess now that I am thinking about it the only persons that I 
would be giving out shell accounts to are admin type people who would 
need to go to all the different directories on the server.  So i guess I 
really don't need ssh chroot'ed.
I am using ProFTPd because it taps into my LDAP directory for user 
authentication.   THAT i would really like to chroot the directory.  
Anonymous is chrooted but that is about it.
Ben

Mike Johnson wrote:

>>On Sun, 3 Nov 2002, Ben Simpson wrote:
>>    
>>
>>>chroot an ftp and or ssh server so that user can't just cd to the real "/"
>>>      
>>>
>
>First, what -exactly- are you trying to do?  Are you trying to allow
>users to authenticate and get a login shell?  Are you trying to allow
>sftp and scp?  What are your needs?
>
>As for ftpd, which server are you using?
>For WU-FTPD: http://www.landfield.com/wu-ftpd/docs/guest-howto.html
>For ProFTPD: http://www.proftpd.org/docs/faq/proftpdfaq-5.html#ss5.12
>
>There's others, Google is your friend.
>
>Matthew Todd [matthew.todd at alumni.duke.edu] wrote:
>  
>
>>Hi Ben,
>>
>>I sort of did this for an ssh (& thus, sftp) server a few months ago.
>>
>>These pages were helpful:
>>http://mail.incredimail.com/howto/openssh/
>>http://ulf.zeitform.de/sshchroot/
>>
>>Back then, I got the impression that this was something of a black art.
>>These kinds of patches had been rejected for the main OpenSSH development
>>tree, and I'm not sure if any ever made it in.
>>    
>>
>
>It's not so much a black art as it is something that should be done
>outside of the ssh server.  I used to subscribe to the idea of doing the
>chroot in sshd, but after it became a pain in the ass to maintain the
>patch (yes, mine was one of the rejected patches), and after reading the
>arguments, I've come to the conclusion that it's better done in the
>shell.
>
>I use rssh as my shell of choice, hacked a bit to add the additional
>commands that I need:
>http://pizzashack.org/rssh/
>
>Mike
>  
>

-- 
Ben Simpson, MCSE
Systems Engineer
Voice and Fax Number: 1-877-718-7627 x401

Silex Technologies
http://www.silextech.com






More information about the TriLUG mailing list