sshd behaviour

Nathan Kinkade nkinkade at
Thu Mar 17 07:43:26 PST 2005

On Wed, Mar 16, 2005 at 08:04:48PM +0300, Eugene M. Minkovskii wrote:
> On Wed, Mar 16, 2005 at 10:00:44AM -0600, Nathan Kinkade wrote:
> " 
> " As another poster mentioned, the problem is likely related to DNS, and I
> " have experienced it as well.  If you are using Privilege Separation,
> " then an sshd process will chroot itself into /var/empty before
> " performing authentication.  /var/empty is itself usually empty.  One
> " thing you can do is to make the dir /var/empty/etc and then drop a copy
> " of your /etc/hosts file into the newly created /var/empty/etc/
> " directory.  You might want to make sure that the hosts file contains a
> " mapping to the LAN machines which you want to ssh from.
> " 
> " Keep in mind that /var/empty has the schg flag set, so you won't be able
> " to copy anything to it without disabling this first.  See more at `man
> " chflags`.  Try something like this:
> " 
> " # chflags -R noschg /var/empty
> " # mkdir /var/empty/etc
> " # cp /etc/hosts /var/empty/etc
> " # chflags -R schg /var/empty
> " 
> " This will likely clear up your problem.
> " 
> " Nathan
> Thank you, Nathan. Can I put soft link into /var/empty/etc (this
> is crossdevice link, and I can't put hard link in it)? And does I
> realy need -R key in last command which you recomended? This mean
> that directory /var/empty/etc has schg flag too. Is it nessesery?

From `man sshd`:

	chroot(2) directory used by sshd during privilege separation in the
	pre-authentication phase.  The directory should not contain any files
	and must be owned by root and not group or world-writable.

I assume you can follow these rules.  The noschg flags may be something
that the FreeBSD developers decided to do for added security, and I
don't see any practical reason to alter it.  Regarding soft/hard links
in the chrooted dir, I don't know if that would work.  I suspect no, as
it would somewhat defeat the purpose of the chroot.  Cross-device link
error: hard links will only work within a single filesystem, not across
multiple filesystems.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list