grsecurity forums


https://forums.grsecurity.net./

"chroot sshd"

https://forums.grsecurity.net./viewtopic.php?f=3&t=988

Page 1 of 1

"chroot sshd"

PostPosted: Thu Nov 18, 2004 4:10 am
by komseh
Is there a way to lock users, who are logged in via ssh, into their home directory. Chrooting sshd is pretty painful and seems un reliable. Can I use grsecurity's ACL system to accomplish this?

Re: "chroot sshd"

PostPosted: Mon Dec 13, 2004 5:07 pm
by Hue-Bond
>Is there a way to lock users, who are logged in via ssh, into their home
>directory. Chrooting sshd is pretty painful and seems un reliable. Can I use
>grsecurity's ACL system to accomplish this?

ACL system is not for chrooting daemons. I think it would be a bigger pain to accomplish that via ACLs (although not totally impossible). I'd suggest you to do things the way they are meant to be done.

PostPosted: Tue Dec 14, 2004 11:03 pm
by incognito_
you might want to look at pam_chroot

PostPosted: Sun Jan 02, 2005 10:10 am
by superbock
it can be done, and works great if u take the time to implement it right.

you need 4 things:

+ a chroot patch for sshd, freely available on the net, so that it executes a chroot() when the user logs in

+ a fs skeleton on every user's homedir (each with it's libs and allowed binaries)

+ a proper least-privilege-possible ACL that "hides" the system below the user's homedir and sets rules on what he can do in it's own fs skel

+ some scripting to help managing this in a easy way (optional)

It's as secure as it can get when giving shell access to users..

have fun :)
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/