Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jun 2002 01:34:43 +0200 (CEST)
From:      Oliver Fromme <olli@secnetix.de>
To:        freebsd-security@FreeBSD.ORG
Subject:   sshd + jail (was Re: OpenSSH Security)
Message-ID:  <200206262334.g5QNYhQ40207@lurza.secnetix.de>

next in thread | raw e-mail | index | archive | help
Poul-Henning Kamp <phk@critter.freebsd.dk> wrote:
 > Which reminds me that we should really tweak the code and put it in a
 > jail instead of a chroot.

Slightly related ...

For a custom application I modified the sshd source to make
a jail() call right after the username had been transferred.
So user authentication already happens within the jail, using
the spwd.db inside the jail and so on.  I added a config
option for sshd_config to specify jail parameters (chroot
directory, IP, hostname) per-user.

I had to do that because for certain reasons we weren't able
to run a separate sshd in each and every jail.  Patching the
sshd source as described above enabled us to run just one
sshd on the machine.  Of course, it also has disadvantages,
the largest ist that a user who logs in twice is actually in
two different jails (although they're the same chroot dir),
so he can't see nor kill his own processes running in the
other session.  But that's something we can easily live with.

I considered subitting my patches, but to be honest, I wasn't
sure where to submit them.  To the OpenSSH people?  Nope, the
patches are clearly FreeBSD-specific.  So submit them to the
FreeBSD people?  I don't know.

Also, the patches are for openssh 2.9.  I haven't looked at
the openssh 3.3 or 3.4 sources yet, but I fear that it will
be difficult to merge the patches there, and it's probably
impossible to use them with privsep enabled, because jail()
requires superuser priviledges, but the authentication is
performed as the sshd user when privsep is enabled.  (Please
someone correct me if I'm wrong.)

Anyway.  If anyone wants to look at my jail() patches for
sshd (openssh 2.9), I'll be happy to mail them or put them
up on some webpage.  We use them in production for almost
a year now.

Regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"All that we see or seem is just a dream within a dream" (E. A. Poe)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206262334.g5QNYhQ40207>