ssh jail

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 2 19:17:18 UTC 2008


kalin m wrote:
> 
> hi all...
> 
> i have openssh 5. i want to jail the users to their home directories so 
> they can go down but not up.
> 
> i didn't see a directive that does that in the man or in the sshd_config.
> 
> how do i do that?

You need a specially patched version of OpenSSH.  You can download
the patches from here:

    http://chrootssh.sourceforge.net/download/

and try patching the system sources.  If you're not an experienced
developer wise in the ways of patch(1) and diff(1) and make(1) this
definitely isn't a good idea especially for something as security
sensitive as OpenSSH.

Realistically, just install the security/openssh-portable port and
make sure to check the 'OPENSSH_CHROOT' box in the config dialog.
Note: if you choose to select the 'OVERWRITE_BASE' option, be sure
to disable building ssh in the base system by making the appropriate
entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that
whatever system update mechanism you use won't accidentally blow away
your specially patched ssh daemon.

If you don't overwrite the base system, then double check that the
init scripts are starting up the openssh-portable version.  You'll
need at least this in /etc/rc.conf:

sshd_enable="NO"
openssh_enable="YES"

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081002/6ecadea7/signature.pgp


More information about the freebsd-questions mailing list