1 --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200
2 +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200
5 /* Portable-specific options */
9 + options->use_chroot = -1;
11 /* Standard Options */
12 options->num_ports = 0;
13 options->ports_from_cmdline = 0;
15 if (options->use_pam == -1)
18 + if (options->use_chroot == -1)
19 + options->use_chroot = 0;
21 /* Standard Options */
22 if (options->protocol == SSH_PROTO_UNKNOWN)
23 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
25 sBadOption, /* == unknown option */
26 /* Portable-specific options */
29 /* Standard Options */
30 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
31 sPermitRootLogin, sLogFacility, sLogLevel,
34 { "usepam", sUnsupported, SSHCFG_GLOBAL },
37 + { "usechroot", sUseChroot, SSHCFG_GLOBAL },
39 + { "usechroot", sUnsupported, SSHCFG_GLOBAL },
41 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
42 /* Standard Options */
43 { "port", sPort, SSHCFG_GLOBAL },
45 intptr = &options->use_pam;
49 + intptr = &options->use_chroot;
52 /* Standard Options */
55 --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
56 +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
58 int max_startups_rate;
60 char *banner; /* SSH-2 banner message */
61 + int use_chroot; /* Enable chrooted enviroment support */
63 int client_alive_interval; /*
64 * poke the client this often to
65 --- openssh-7.2p1/session.c.orig 2016-03-05 10:24:44.227756638 +0100
66 +++ openssh-7.2p1/session.c 2016-03-05 10:24:50.237756386 +0100
67 @@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw)
68 do_setusercontext(struct passwd *pw)
70 char *chroot_path, *tmp;
76 platform_setusercontext(pw);
78 @@ -1532,6 +1536,29 @@ do_setusercontext(struct passwd *pw)
79 free(options.chroot_directory);
80 options.chroot_directory = NULL;
83 + } else if (!in_chroot && options.use_chroot) {
84 + user_dir = xstrdup(pw->pw_dir);
85 + new_root = user_dir + 1;
87 + while ((new_root = strchr(new_root, '.')) != NULL) {
89 + if (strncmp(new_root, "/./", 3) == 0) {
93 + if (chroot(user_dir) != 0)
94 + fatal("Couldn't chroot to user directory %s", user_dir);
95 + /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
97 + pw->pw_dir = xstrdup(new_root);
107 #ifdef HAVE_LOGIN_CAP
108 --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
109 +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
111 # and ChallengeResponseAuthentication to 'no'.
114 +# Set this to 'yes' to enable support for chrooted user environment.
115 +# You must create such environment before you can use this feature.
118 #AllowAgentForwarding yes
120 # http://securitytracker.com/alerts/2004/Sep/1011143.html
121 --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200
122 +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200
123 @@ -921,6 +921,16 @@ DESCRIPTION
124 TrustedUserCAKeys. For more details on certificates, see the
125 CERTIFICATES section in ssh-keygen(1).
128 + Specifies whether to use chroot-jail environment with ssh/sftp,
129 + i.e. restrict users to a particular area in the filesystem. This
130 + is done by setting user home directory to, for example,
131 + /path/to/chroot/./home/username. sshd looks for a '.' in the
132 + users home directory, then calls chroot(2) to whatever directory
133 + was before the . and continues with the normal ssh functionality.
134 + For this to work properly you have to create special chroot-jail
135 + environment in a /path/to/chroot directory.
137 UseDNS Specifies whether sshd(8) should look up the remote host name,
138 and to check that the resolved host name for the remote IP
139 address maps back to the very same IP address.
140 --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100
141 +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
143 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
144 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
147 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
148 +users to a particular area in the filesystem. This is done by setting user
149 +home directory to, for example, /path/to/chroot/./home/username.
151 +looks for a '.' in the users home directory, then calls
153 +to whatever directory was before the . and continues with the normal ssh
154 +functionality. For this to work properly you have to create special chroot-jail
155 +environment in a /path/to/chroot directory.
157 Specifies whether the system should send TCP keepalive messages to the