[scponly] ssh key auth. using the same chroot env., possible?

Ralf Durkee rd at rd1.net
Thu Nov 30 22:00:56 EST 2006 

One additional point, you need the ssh keys to be readable by the user 
(uid) logging into, so if they are installed by the admin, I usually 
change the group to the that of the user, and set the permission so the 
key is read-only for the users group, and no access for other.

owner=root or admin 
group=user
mod = 640

-- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
Principal Security Consultant
http://rd1.net



Paul Hyder wrote:
> Relocating ssh keys is easy.
>   -update the sshd_config AuthorizedKeysFile variable to match the new,
>    root owned location (no longer in ~/.ssh/authorized_keys)
>    We use /home/admin/.ssh/%u/authorized_keys2 and a single jail.
>   -understand that the ssh key handling occurs BEFORE scponly, the keys
>    should be located above the chroot point if you don't want the users
>    to maintain them.  (otherwise the sshd can look in the user's chroot
>    incoming .ssh directory)
>
> Paul Hyder
> NOAA Earth System Research Laboratory, Global Systems Division
> Boulder, CO
>
> bridavis at comcast.net wrote:
>   
>> First, is there anyway to search the mailing list archives?
>>
>> I'm afraid the answer to this question is no, but I wanted to check first.
>>
>> I have multiple users which I want to use key based ssh authentication. However, I don't want to build multiple chroot environments, since it would be just copying all the same files over and over for each user (i.e. n users = n chroot environments). I would have a single chroot base with different "incoming" directories which would only be writable to the respective user, and I'd use the scponly // magic to have each user placed into the right writable directory.
>>
>> The problem is that sshd looks for .ssh/authorized_keys in the user's home directory (which I'm assuming is the /chroot base and not the writable "incoming" directory). In this case, only one .ssh/authoized_keys file can exist in the chroot env.
>>
>> Is this correct? Is there a way around this?
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>     
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>
>

More information about the scponly mailing list