From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 19:17:18 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3FD8106568C for ; Thu, 2 Oct 2008 19:17:18 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2B0708FC25 for ; Thu, 2 Oct 2008 19:17:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m92JH8fi095885; Thu, 2 Oct 2008 20:17:09 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m92JH8fi095885 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1222975029; bh=dBMyfVOcbS6jVM BDgfO3/ohAW8n1x3s26NMC/0469b8=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48E51E2E.90500@infracaninophile.co.uk>|Date:=20Thu,=200 2=20Oct=202008=2020:17:02=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User-A gent:=20Thunderbird=202.0.0.17=20(X11/20080929)|MIME-Version:=201.0 |To:=20kalin=20m=20|CC:=20freebsd-questions@freebsd.o rg|Subject:=20Re:=20ssh=20jail|References:=20<48E5070D.8050400@el.n et>|In-Reply-To:=20<48E5070D.8050400@el.net>|X-Enigmail-Version:=20 0.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B =0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary =3D"------------enig8FD55FBC995DE8AD1C0091CD"; b=SiS5zTku0Mjyucz5Mn p0/YWzCZbBwvGnYvUSSXWcKMZm/LvgmKjrf4ZtKVnst64P1du7Z01MtcSsmHjpIhNro 71ADtkZXMKZk1Qm2D8QZFmDTDMbIvI4ZsF0a5nzItpor811ytWNX9FaW/7JRZrx0q8X +dzljYrlZ5AAcWJ9cXs= Message-ID: <48E51E2E.90500@infracaninophile.co.uk> Date: Thu, 02 Oct 2008 20:17:02 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.17 (X11/20080929) MIME-Version: 1.0 To: kalin m References: <48E5070D.8050400@el.net> In-Reply-To: <48E5070D.8050400@el.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig8FD55FBC995DE8AD1C0091CD" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Thu, 02 Oct 2008 20:17:09 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8372/Thu Oct 2 16:21:47 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: ssh jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 19:17:18 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8FD55FBC995DE8AD1C0091CD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable kalin m wrote: >=20 > hi all... >=20 > i have openssh 5. i want to jail the users to their home directories so= =20 > they can go down but not up. >=20 > i didn't see a directive that does that in the man or in the sshd_confi= g. >=20 > how do i do that? You need a specially patched version of OpenSSH. You can download the patches from here: http://chrootssh.sourceforge.net/download/ and try patching the system sources. If you're not an experienced developer wise in the ways of patch(1) and diff(1) and make(1) this definitely isn't a good idea especially for something as security sensitive as OpenSSH. Realistically, just install the security/openssh-portable port and make sure to check the 'OPENSSH_CHROOT' box in the config dialog. Note: if you choose to select the 'OVERWRITE_BASE' option, be sure to disable building ssh in the base system by making the appropriate entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that whatever system update mechanism you use won't accidentally blow away your specially patched ssh daemon. If you don't overwrite the base system, then double check that the init scripts are starting up the openssh-portable version. You'll need at least this in /etc/rc.conf: sshd_enable=3D"NO" openssh_enable=3D"YES" Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig8FD55FBC995DE8AD1C0091CD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjlHjQACgkQ8Mjk52CukIx8hACgkxPwEQ9yldjr3z23hkywhSH/ fmwAoJKwNeqnyeTeWB82y3ueEfsWohP7 =Zuc6 -----END PGP SIGNATURE----- --------------enig8FD55FBC995DE8AD1C0091CD--