[scponly] scponly chroot vs. Openssh forcecommand

Brian A. Davis bridavis at comcast.net
Wed Dec 27 21:31:46 EST 2006 

I'm still testing, but I think using the chroot patch referenced below 
and setting the users shell to /usr/lib/misc/sftp-server (in my case) is 
the answer for me.

I'm still trying to determine the difference (functionally and security 
wise) between using the ForceCommand to force the sftp-server or setting 
it as the users shell.

Thanks,
Brian

Kaleb Pederson wrote:
> OpenSSH doesn't currently have the ability to chroot, although there is a 
> patch that will allow it to chroot:
>
> http://chrootssh.sourceforge.net/index.php
>
> Hmm.... There is one thing that might work if OpenSSH allows spaces in 
> the "ForceCommand" (and if not, you might be able to make a wrapper script):
>
> Match User restricted-user
>     ForceCommand chroot /path/to/chroot -s /usr/libexec/sftp-server
>
> That's totally untested, but it might work.
>
> If you try it, please post your results and let us know.
>
> Thanks.
>
> --Kaleb
>
>
> On Tuesday 26 December 2006 20:18, Brian A. Davis wrote:
>   
>> Hey Folks,
>>
>> I saw a recent thread which introduced (to me anyway) the ForceCommand
>> based on some new OpenSSH functionality, where you can force a user
>> solely via OpenSSH to a sftp only subsystem.
>>
>> To copy paste a the example give on the thread:
>>
>> Match User restricted-user
>>     ForceCommand /usr/libexec/sftp-server
>>
>> Now, this is basically all I'm looking for, but I'm already running a
>> chrooted scponly install. However, if I can get all the functionality
>> out of OpenSSH, I'd like to remove scponly in the interest in keeping
>> things simple.
>>
>> I don't need scp access, so I'm thinking the only reason for me to keep
>> scponly is for the chroot.
>>
>> Does anyone know if I can chroot my users using the OpenSSH ForceCommand
>> method? If not, I'll stick with the scponly setup I have.
>>
>> Thanks,
>> Brian
>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>

More information about the scponly mailing list