From owner-freebsd-questions@FreeBSD.ORG Thu Oct 2 20:00:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3773910656B6 for ; Thu, 2 Oct 2008 20:00:10 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [64.81.218.253]) by mx1.freebsd.org (Postfix) with ESMTP id BD6EA8FC3E for ; Thu, 2 Oct 2008 20:00:09 +0000 (UTC) (envelope-from kalin@el.net) Received: (qmail 35980 invoked by uid 1008); 2 Oct 2008 21:01:24 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@74.1.12.115) by mail.el.net with ESMTPA; 2 Oct 2008 21:01:24 -0000 Message-ID: <48E52848.701@el.net> Date: Thu, 02 Oct 2008 16:00:08 -0400 From: kalin m User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Matthew Seaman References: <48E5070D.8050400@el.net> <48E51E2E.90500@infracaninophile.co.uk> In-Reply-To: <48E51E2E.90500@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ssh jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 20:00:10 -0000 thanks.. i'll look at the patches.... Matthew Seaman wrote: > kalin m wrote: >> >> hi all... >> >> i have openssh 5. i want to jail the users to their home directories >> so they can go down but not up. >> >> i didn't see a directive that does that in the man or in the >> sshd_config. >> >> how do i do that? > > You need a specially patched version of OpenSSH. You can download > the patches from here: > > http://chrootssh.sourceforge.net/download/ > > and try patching the system sources. If you're not an experienced > developer wise in the ways of patch(1) and diff(1) and make(1) this > definitely isn't a good idea especially for something as security > sensitive as OpenSSH. > > Realistically, just install the security/openssh-portable port and > make sure to check the 'OPENSSH_CHROOT' box in the config dialog. > Note: if you choose to select the 'OVERWRITE_BASE' option, be sure > to disable building ssh in the base system by making the appropriate > entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that > whatever system update mechanism you use won't accidentally blow away > your specially patched ssh daemon. > > If you don't overwrite the base system, then double check that the > init scripts are starting up the openssh-portable version. You'll > need at least this in /etc/rc.conf: > > sshd_enable="NO" > openssh_enable="YES" > > Cheers, > > Matthew >