[scponly] ssh key auth. using the same chroot env., possible?

Ralf Durkee rd at rd1.net
Sat Jul 14 19:11:29 EDT 2007


Why not just change the directory for the ssh keys to avoid the whole 
home directory issue.  It also allows you to set up permissions so that 
the users can't install or change their own keys.  Configure the 
directory for authorized keys in your sshd_config with something like...

AuthorizedKeysFile      /etc/ssh/keys/%u


The %u is the user login, and the file and the directory it is in, needs 
to be readable by the user id.  Different logins can have different 
keys, but the same home directory just fine.

-- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
Principal Security Consultant
http://rd1.net


Whit Blauvelt wrote:
> Your first method does work, Paul. So that's good enough. What won't work
> for me is putting authorized_keys in the home directory (whether defined as
> before or after the // - in an .ssh subdir of course). Is the second way
> actually working for anybody? I'd be curious to know the trick if so to
> complete a page on the wiki.
>
> Whit
>
>   
>> On Wed, Nov 29, 2006 at 10:21:17PM -0700, Paul Hyder wrote:
>>     
>>> Relocating ssh keys is easy.
>>>   -update the sshd_config AuthorizedKeysFile variable to match the new,
>>>    root owned location (no longer in ~/.ssh/authorized_keys)
>>>    We use /home/admin/.ssh/%u/authorized_keys2 and a single jail.
>>>   -understand that the ssh key handling occurs BEFORE scponly, the keys
>>>    should be located above the chroot point if you don't want the users
>>>    to maintain them.  (otherwise the sshd can look in the user's chroot
>>>    incoming .ssh directory)
>>>
>>> Paul Hyder
>>> NOAA Earth System Research Laboratory, Global Systems Division
>>> Boulder, CO
>>>       
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>   



More information about the scponly mailing list