[scponly] scponly chroot vs. Openssh forcecommand

Kaleb Pederson kibab at icehouse.net
Thu Dec 28 01:34:52 EST 2006 

On Wednesday 27 December 2006 19:15, Brian A. Davis wrote:
> OK, I've done enough testing to realize the easiest way for *me* is to
> use the chroot openssh patch with sftp-server as the users shell. It's
> still not clear to me, if you have users which don't need any shell
> access, why you would use the ForceCommand instead of setting the shell.

The shell is expected to accept a couple of arguments, namely the name of 
program that is expected to execute -- in certain cases this would be 
sftp-server, in others it would be scp or other allowed commands.  I wouldn't 
expect this to work, but it really depends on what the sftp-server does with 
the extra arguments.

--Kaleb

> FYI, my /etc/passwd line is:
>
> test:x:1004:100::/raid/chroot/home/./test:/usr/lib/misc/sftp-server
>
> That extra '.' is for the chroot.
>
> Comments welcome.
>
> Thanks,
> Brian
>
> Brian A. Davis wrote:
> > I'm still testing, but I think using the chroot patch referenced below
> > and setting the users shell to /usr/lib/misc/sftp-server (in my case)
> > is the answer for me.
> >
> > I'm still trying to determine the difference (functionally and
> > security wise) between using the ForceCommand to force the sftp-server
> > or setting it as the users shell.
> >
> > Thanks,
> > Brian
> >
> > Kaleb Pederson wrote:
> >> OpenSSH doesn't currently have the ability to chroot, although there
> >> is a patch that will allow it to chroot:
> >>
> >> http://chrootssh.sourceforge.net/index.php
> >>
> >> Hmm.... There is one thing that might work if OpenSSH allows spaces
> >> in the "ForceCommand" (and if not, you might be able to make a
> >> wrapper script):
> >>
> >> Match User restricted-user
> >>     ForceCommand chroot /path/to/chroot -s /usr/libexec/sftp-server
> >>
> >> That's totally untested, but it might work.
> >>
> >> If you try it, please post your results and let us know.
> >>
> >> Thanks.
> >>
> >> --Kaleb
> >>
> >> On Tuesday 26 December 2006 20:18, Brian A. Davis wrote:
> >>> Hey Folks,
> >>>
> >>> I saw a recent thread which introduced (to me anyway) the ForceCommand
> >>> based on some new OpenSSH functionality, where you can force a user
> >>> solely via OpenSSH to a sftp only subsystem.
> >>>
> >>> To copy paste a the example give on the thread:
> >>>
> >>> Match User restricted-user
> >>>     ForceCommand /usr/libexec/sftp-server
> >>>
> >>> Now, this is basically all I'm looking for, but I'm already running a
> >>> chrooted scponly install. However, if I can get all the functionality
> >>> out of OpenSSH, I'd like to remove scponly in the interest in keeping
> >>> things simple.
> >>>
> >>> I don't need scp access, so I'm thinking the only reason for me to keep
> >>> scponly is for the chroot.
> >>>
> >>> Does anyone know if I can chroot my users using the OpenSSH
> >>> ForceCommand
> >>> method? If not, I'll stick with the scponly setup I have.
> >>>
> >>> Thanks,
> >>> Brian
> >>>
> >>> _______________________________________________
> >>> scponly mailing list
> >>> scponly at lists.ccs.neu.edu
> >>> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list