[scponly] scponly chroot vs. Openssh forcecommand

Brian A. Davis bridavis at comcast.net
Wed Dec 27 22:15:01 EST 2006


OK, I've done enough testing to realize the easiest way for *me* is to 
use the chroot openssh patch with sftp-server as the users shell. It's 
still not clear to me, if you have users which don't need any shell 
access, why you would use the ForceCommand instead of setting the shell.

FYI, my /etc/passwd line is:

test:x:1004:100::/raid/chroot/home/./test:/usr/lib/misc/sftp-server

That extra '.' is for the chroot.

Comments welcome.

Thanks,
Brian

Brian A. Davis wrote:
> I'm still testing, but I think using the chroot patch referenced below 
> and setting the users shell to /usr/lib/misc/sftp-server (in my case) 
> is the answer for me.
>
> I'm still trying to determine the difference (functionally and 
> security wise) between using the ForceCommand to force the sftp-server 
> or setting it as the users shell.
>
> Thanks,
> Brian
>
> Kaleb Pederson wrote:
>> OpenSSH doesn't currently have the ability to chroot, although there 
>> is a patch that will allow it to chroot:
>>
>> http://chrootssh.sourceforge.net/index.php
>>
>> Hmm.... There is one thing that might work if OpenSSH allows spaces 
>> in the "ForceCommand" (and if not, you might be able to make a 
>> wrapper script):
>>
>> Match User restricted-user
>>     ForceCommand chroot /path/to/chroot -s /usr/libexec/sftp-server
>>
>> That's totally untested, but it might work.
>>
>> If you try it, please post your results and let us know.
>>
>> Thanks.
>>
>> --Kaleb
>>
>>
>> On Tuesday 26 December 2006 20:18, Brian A. Davis wrote:
>>  
>>> Hey Folks,
>>>
>>> I saw a recent thread which introduced (to me anyway) the ForceCommand
>>> based on some new OpenSSH functionality, where you can force a user
>>> solely via OpenSSH to a sftp only subsystem.
>>>
>>> To copy paste a the example give on the thread:
>>>
>>> Match User restricted-user
>>>     ForceCommand /usr/libexec/sftp-server
>>>
>>> Now, this is basically all I'm looking for, but I'm already running a
>>> chrooted scponly install. However, if I can get all the functionality
>>> out of OpenSSH, I'd like to remove scponly in the interest in keeping
>>> things simple.
>>>
>>> I don't need scp access, so I'm thinking the only reason for me to keep
>>> scponly is for the chroot.
>>>
>>> Does anyone know if I can chroot my users using the OpenSSH 
>>> ForceCommand
>>> method? If not, I'll stick with the scponly setup I have.
>>>
>>> Thanks,
>>> Brian
>>>
>>> _______________________________________________
>>> scponly mailing list
>>> scponly at lists.ccs.neu.edu
>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>     
>
>




More information about the scponly mailing list