[scponly] scponly chroot vs. Openssh forcecommand

Brian A. Davis bridavis at comcast.net
Thu Dec 28 13:29:40 EST 2006 

On my Gentoo 2006.1 system, setting sftp-server as the shell works fine. 
Of course, if you need to pass arguments to sftp-server, then you are 
correct to use the ForceCommand instead.

Thanks,
Brian

Kaleb Pederson wrote:
> On Wednesday 27 December 2006 18:31, Brian A. Davis wrote:
>   
>> I'm still testing, but I think using the chroot patch referenced below
>> and setting the users shell to /usr/lib/misc/sftp-server (in my case) is
>> the answer for me.
>>
>> I'm still trying to determine the difference (functionally and security
>> wise) between using the ForceCommand to force the sftp-server or setting
>> it as the users shell.
>>     
>
> As I just mentioned in my other e-mail, I wouldn't expect setting sftp-server 
> as the users shell to work -- but it might.
>
> I would use the chroot functionality and then still specify ForceCommand with 
> the command being /path/to/sftp-server as it exists within the chroot.
>
> I hope that helps.
>
> --Kaleb
>
>
>   
>> Thanks,
>> Brian
>>
>> Kaleb Pederson wrote:
>>     
>>> OpenSSH doesn't currently have the ability to chroot, although there is a
>>> patch that will allow it to chroot:
>>>
>>> http://chrootssh.sourceforge.net/index.php
>>>
>>> Hmm.... There is one thing that might work if OpenSSH allows spaces in
>>> the "ForceCommand" (and if not, you might be able to make a wrapper
>>> script):
>>>
>>> Match User restricted-user
>>>     ForceCommand chroot /path/to/chroot -s /usr/libexec/sftp-server
>>>
>>> That's totally untested, but it might work.
>>>
>>> If you try it, please post your results and let us know.
>>>
>>> Thanks.
>>>
>>> --Kaleb
>>>
>>> On Tuesday 26 December 2006 20:18, Brian A. Davis wrote:
>>>       
>>>> Hey Folks,
>>>>
>>>> I saw a recent thread which introduced (to me anyway) the ForceCommand
>>>> based on some new OpenSSH functionality, where you can force a user
>>>> solely via OpenSSH to a sftp only subsystem.
>>>>
>>>> To copy paste a the example give on the thread:
>>>>
>>>> Match User restricted-user
>>>>     ForceCommand /usr/libexec/sftp-server
>>>>
>>>> Now, this is basically all I'm looking for, but I'm already running a
>>>> chrooted scponly install. However, if I can get all the functionality
>>>> out of OpenSSH, I'd like to remove scponly in the interest in keeping
>>>> things simple.
>>>>
>>>> I don't need scp access, so I'm thinking the only reason for me to keep
>>>> scponly is for the chroot.
>>>>
>>>> Does anyone know if I can chroot my users using the OpenSSH ForceCommand
>>>> method? If not, I'll stick with the scponly setup I have.
>>>>
>>>> Thanks,
>>>> Brian
>>>>
>>>> _______________________________________________
>>>> scponly mailing list
>>>> scponly at lists.ccs.neu.edu
>>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>>

More information about the scponly mailing list