Date: Thu, 02 Oct 2008 16:00:08 -0400 From: kalin m <kalin@el.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: ssh jail Message-ID: <48E52848.701@el.net> In-Reply-To: <48E51E2E.90500@infracaninophile.co.uk> References: <48E5070D.8050400@el.net> <48E51E2E.90500@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks.. i'll look at the patches.... Matthew Seaman wrote: > kalin m wrote: >> >> hi all... >> >> i have openssh 5. i want to jail the users to their home directories >> so they can go down but not up. >> >> i didn't see a directive that does that in the man or in the >> sshd_config. >> >> how do i do that? > > You need a specially patched version of OpenSSH. You can download > the patches from here: > > http://chrootssh.sourceforge.net/download/ > > and try patching the system sources. If you're not an experienced > developer wise in the ways of patch(1) and diff(1) and make(1) this > definitely isn't a good idea especially for something as security > sensitive as OpenSSH. > > Realistically, just install the security/openssh-portable port and > make sure to check the 'OPENSSH_CHROOT' box in the config dialog. > Note: if you choose to select the 'OVERWRITE_BASE' option, be sure > to disable building ssh in the base system by making the appropriate > entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that > whatever system update mechanism you use won't accidentally blow away > your specially patched ssh daemon. > > If you don't overwrite the base system, then double check that the > init scripts are starting up the openssh-portable version. You'll > need at least this in /etc/rc.conf: > > sshd_enable="NO" > openssh_enable="YES" > > Cheers, > > Matthew >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E52848.701>