Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chroot in OpenSSH

Posted by ScuttleMonkey on from the making-life-easier-always-my-goal dept.

bsdphx writes "OpenSSH developers Damien Miller and Markus Friedl have recently added a nifty feature to make life easier for admins. Now you can easily lock an SSH session into a chroot directory, restrict them to a built-in sftp server and apply these settings per user. And it's dead simple to do. If you need to allow semi-trusted people on your computers, then you want this bad!"

2 of 62 comments (clear)

  1. Re:Why bother? by bsdphx · · Score: 5, Insightful

    Understanding the issues is better than parroting what you've heard from random sources. Given the OpenBSD and OpenSSH track record for security it's obvious they have some serious clues about security.

  2. Re:Why bother? by illegibledotorg · · Score: 5, Informative

    Giving someone a shell and putting them in a chroot crafted to look and function like a full system is one thing.

    Giving someone an SFTP session and chrooting them into a subdirectory is another thing.

    The feature added in this commit was arguably intended for the latter purpose given the additional changes to the SFTP subsystem that were included. There are countless tutorials and patches and scripts that are available to achieve chrooted SFTP-only access, but now it's been implemented in the core of OpenSSH. In my eyes, this solution is not only a "cleaner" solution to the problem, but it's probably more secure too.