From owner-freebsd-security@FreeBSD.ORG Fri Jan 14 01:51:39 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1510E16A4CE for ; Fri, 14 Jan 2005 01:51:39 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id C26AA43D58 for ; Fri, 14 Jan 2005 01:51:38 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j0E1smcj005014; Thu, 13 Jan 2005 17:54:48 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j0E1smtD005013; Thu, 13 Jan 2005 17:54:48 -0800 Date: Thu, 13 Jan 2005 17:54:47 -0800 From: Brooks Davis To: vvi tech Message-ID: <20050114015447.GA4695@odin.ac.hmc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-security@freebsd.org Subject: Re: Equilivant for a sshchroot file? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 01:51:39 -0000 --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 13, 2005 at 05:43:47PM -0800, vvi tech wrote: > Hey guys I really have made use of the ftpchroot file in /etc but I wonder > why is there no equivalent of that for ssh and telnet accounts? Basically > simply limiting traversing the file system to specific shell users root. It's a vastly different problem. With ftp, all you need to do is keep the daemon and possiably a few external programs working. With ssh or telnet, there's little point unless you can keep a set of applications working. There are choot patches for ssh avaliable. Alternativly, you can use jail(8) to seperate processes from each other. One (debian specific)writeup on chrooted ssh: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.e= n.html -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFB5yZnXY6L6fI4GtQRAjyzAJ44hV4zpHVt3ovP5BI79jgME6YUdQCggBWE EQtIlMroKBPrW9z5GAveW3w= =2Wed -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB--