[scponly] scponly chroot vs. Openssh forcecommand

Kaleb Pederson kibab at icehouse.net
Thu Dec 28 01:37:00 EST 2006 

On Wednesday 27 December 2006 18:31, Brian A. Davis wrote:
> I'm still testing, but I think using the chroot patch referenced below
> and setting the users shell to /usr/lib/misc/sftp-server (in my case) is
> the answer for me.
>
> I'm still trying to determine the difference (functionally and security
> wise) between using the ForceCommand to force the sftp-server or setting
> it as the users shell.

As I just mentioned in my other e-mail, I wouldn't expect setting sftp-server 
as the users shell to work -- but it might.

I would use the chroot functionality and then still specify ForceCommand with 
the command being /path/to/sftp-server as it exists within the chroot.

I hope that helps.

--Kaleb


> Thanks,
> Brian
>
> Kaleb Pederson wrote:
> > OpenSSH doesn't currently have the ability to chroot, although there is a
> > patch that will allow it to chroot:
> >
> > http://chrootssh.sourceforge.net/index.php
> >
> > Hmm.... There is one thing that might work if OpenSSH allows spaces in
> > the "ForceCommand" (and if not, you might be able to make a wrapper
> > script):
> >
> > Match User restricted-user
> >     ForceCommand chroot /path/to/chroot -s /usr/libexec/sftp-server
> >
> > That's totally untested, but it might work.
> >
> > If you try it, please post your results and let us know.
> >
> > Thanks.
> >
> > --Kaleb
> >
> > On Tuesday 26 December 2006 20:18, Brian A. Davis wrote:
> >> Hey Folks,
> >>
> >> I saw a recent thread which introduced (to me anyway) the ForceCommand
> >> based on some new OpenSSH functionality, where you can force a user
> >> solely via OpenSSH to a sftp only subsystem.
> >>
> >> To copy paste a the example give on the thread:
> >>
> >> Match User restricted-user
> >>     ForceCommand /usr/libexec/sftp-server
> >>
> >> Now, this is basically all I'm looking for, but I'm already running a
> >> chrooted scponly install. However, if I can get all the functionality
> >> out of OpenSSH, I'd like to remove scponly in the interest in keeping
> >> things simple.
> >>
> >> I don't need scp access, so I'm thinking the only reason for me to keep
> >> scponly is for the chroot.
> >>
> >> Does anyone know if I can chroot my users using the OpenSSH ForceCommand
> >> method? If not, I'll stick with the scponly setup I have.
> >>
> >> Thanks,
> >> Brian
> >>
> >> _______________________________________________
> >> scponly mailing list
> >> scponly at lists.ccs.neu.edu
> >> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list