[BlueOnyx:08384] Re: limit ssh access
bluequartz at hypersys.ne.jp
Tue Sep 6 01:43:08 PET 2011
Hi Michael Stauber;
over 4.9 OpenSSH in FreeBSD is supporting this function with
on sshd_config definition. I am using this 'limit ssh directry access'
BlueOnyx has now 4.3 OpenSSH, right ?
So let's upgrade OpenSSH from 4.3 to 4.9.
Is any problem on OpenSSH 4.9 on BlueOnyx ?
>> Yeah, I tried to implement chrooted SSH on BlueOnyx sometime last year.
>> Almost got it done and then hit a snag. It worked, but there were some
>> drawbacks that I've forgotten by now. Will look into it again.
> I looked into it again. Yeah, there were some problems with chrooted SSH
> CentOS5. Partially that's because it is showing it's age already and
> that work a bit more seamlessly on never distributions are more
> complicated on
> CentOS5. When CentOS5 was shipped, it's SSHd didn't have provisions for
> chroots in it. So in the end I settled for working SFTP acess back then
> put off the attempts to get chrooted SSH working.
> With a few bits and pieces from rpmforge and epel one can generally get
> chrooted SSH working on CentOS5 nowadays.
> But the problems start with setting up the chroot. For a regular user
> siteAdmin) we could simply use his home directory as base of the chrooted
> environment, which is doable.
> The chroot must be populated with devices, the binaries that we allow the
> chrooted user to use and their dependencies. That's the ugly part, because
> must populate the chroot with this stuff on login and must clean that
> stuff up
> on logout. There are some mechanisms and tools available that help with
> The part where it hits a snag is when we try to chroot a siteAdmin. Using
> home directory of the siteAdmin won't suffice, because he certainly would
> to be able to access the sites /web directory, too, which is outside his
> directory and therefore outside the chrooted jail.
> So we'd have to start the chroot for the siteAdmin at the site-root
> Which a chrooted SSH won't allow us to do, because the site-root has the
> permissions for that purpose and SSH is really picky about the
> permissions. A
> site-root directory usually has 42775 permissions (i.e.: drwxrwsr-x),
> means: Set GID on execution, rwx for owner, rwx for group, r-x for others.
> think SSH already chokes on group readable and r-x for others is a strict
> go area for it. Temporarily removing the extra bits would break web, FTP
> email for the entire site and all it's users, so that's not the best of
> I'm looking into other options for this now. Maybe "Jailkit" can help to
> overcome these obstacle. Or the implementation of an SCP-only shell could
> help. That wouldn't allow full SSH access, but at least SCP would work.
> I haven't entirely given up on this yet, but if we provide chrooted SSH,
> I want it to be a robust solution. And for it to be robust enough a couple
> architectural oddities like our site-root permissions must first be
> without breaking other things.
> With best regards
> Michael Stauber
More information about the Blueonyx