[BlueOnyx:01143] Re: How to chroot a user via sftp

[Michael Stauber]

Hi Chris,

> That said, it would be neat if chrooted/jailed sftp (and even ssh) could
> be implemented in BlueOnyx in the future.  I believe that's been
> discussed and is on the "sometime in the future maybe" roadmap.  ;)

Indeed. I've been looking at this and have (or had) it working on a test 
server. My procedure wasn't that different from what Ernesto posted - just a 
few variations here and there.

Like you said: In the end I wasn't all that happy that one had to deviate from 
the CentOS supplied OpenSSH and has to use a custom built OpenSSH. If we'd 
"mainstream" this by incorporating that feature into BlueOnyx, we'd always 
have to be on our toes in regards to OpenSSH vulnerabilities and would have to 
constantly supply new versions of OpenSSH by ourselves whenever a new version 
of it becomes available. That adds quite a bit of extra overhead to the 
project.

Another approach that has been suggested was to provide "scponly" shell access 
as alternative for selected users. That way a client could upload files with 
SCP or WinSCP, but wouldn't get full SSH access. "scponly" can also be 
chrooted, but implementing that would almost be as invasive to the base OS as 
chrooted SSH.

With that in mind we put both ideas on the back burner for now, but eventually 
we'll get there one way or another.

-- 
With best regards

Michael Stauber