From owner-freebsd-security@FreeBSD.ORG  Mon Dec 20 22:11:54 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C29D316A4CE
	for <freebsd-security@freebsd.org>;
	Mon, 20 Dec 2004 22:11:54 +0000 (GMT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1CCBE43D55
	for <freebsd-security@freebsd.org>;
	Mon, 20 Dec 2004 22:11:54 +0000 (GMT)
	(envelope-from brett@lariat.org)
Received: from runaround.lariat.org (IDENT:ppp1000.lariat.org@lariat.org
	[63.229.157.2])	by lariat.org (8.9.3/8.9.3) with ESMTP id PAA08980;
	Mon, 20 Dec 2004 15:11:47 -0700 (MST)
X-message-flag: Warning! Use of Microsoft Outlook renders your system
	susceptible to Internet worms.
Message-Id: <6.2.0.14.2.20041220145924.0624c328@localhost>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14
Date: Mon, 20 Dec 2004 15:11:45 -0700
To: Nigel Houghton <nigel@sourcefire.com>
From: Brett Glass <brett@lariat.org>
In-Reply-To: <20041220212304.GV792@sourcefire.com>
References: <6.2.0.14.2.20041220142255.06260ca0@localhost>
 <20041220212304.GV792@sourcefire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
cc: freebsd-security@freebsd.org
Subject: Re: chroot-ing users coming in via SSH and/or SFTP?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Dec 2004 22:11:54 -0000

At 02:23 PM 12/20/2004, Nigel Houghton wrote:

>Is there something wrong with using the scponly shell for the users?

Mainly that I hadn't heard of it until you mentioned it. ;-)
Thank you! (I knew I could get a quick answer, if there was one,
from the list.)

I just tried building it (twice, because the first time I didn't
realize that it required a special variable to be defined before 
it would set itself up to chroot users). I'll be testing it shortly
to be sure that the "jails" created by its sample script (which
creates both the user ID and the jail) have everything needed for 
FreeBSD.

It'd be nice if there were a more centralized "chroot" facility
that covered SSH, FTP, and other things as well.

--Brett