--- openssh-3.7.1p2/servconf.c	2003-09-23 11:24:21.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.c	2003-10-07 20:49:08.000000000 +0200
@@ -41,7 +41,9 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
-
+	
+	options->use_chroot = -1;
+	
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -112,6 +114,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -245,6 +250,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUseChroot,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -278,6 +284,11 @@
 #else
 	{ "usepam", sUnsupported },
 #endif
+#ifdef CHROOT
+	{ "usechroot", sUseChroot },
+#else
+	{ "usechroot", sUnsupported },
+#endif /* CHROOT */
 	{ "pamauthenticationviakbdint", sDeprecated },
 	/* Standard Options */
 	{ "port", sPort },
@@ -437,6 +448,10 @@
 		intptr = &options->use_pam;
 		goto parse_flag;
 
+	case sUseChroot:
+		intptr = &options->use_chroot;
+		goto parse_flag;
+
 	/* Standard Options */
 	case sBadOption:
 		return -1;
--- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
@@ -109,6 +109,7 @@
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
+	int     use_chroot;		/* Enable chrooted enviroment support */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-3.7.1p2/session.c	2003-09-23 10:59:08.000000000 +0200
+++ openssh-3.7.1p2.pius/session.c	2003-10-07 20:49:08.000000000 +0200
@@ -1231,6 +1231,10 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1268,6 +1272,28 @@
 			exit(1);
 		}
 		endgrent();
+
+#ifdef CHROOT
+		if (options.use_chroot) {
+			user_dir = xstrdup(pw->pw_dir);
+			new_root = user_dir + 1;
+
+			while((new_root = strchr(new_root, '.')) != NULL) {
+				new_root--;
+				if(strncmp(new_root, "/./", 3) == 0) {
+					*new_root = '\0';
+					new_root += 2;
+
+					if(chroot(user_dir) != 0)
+						fatal("Couldn't chroot to user directory % s", user_dir);
+						pw->pw_dir = new_root;
+						break;
+					}
+					new_root += 2;
+			}
+		}
+#endif /* CHROOT */
+
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups. 
--- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
@@ -71,6 +71,10 @@
 # bypass the setting of 'PasswordAuthentication'
 #UsePAM yes
 
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature. 
+#UseChroot yes
+
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
--- openssh-3.7.1p2/sshd_config.0	2003-09-23 11:55:19.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config.0	2003-10-07 20:49:08.000000000 +0200
@@ -349,6 +349,16 @@
              CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The de-
              fault is AUTH.
 
+     UseChroot
+             Specifies whether to use chroot-jail environment with ssh/sftp,
+             i.e. restrict users to a particular area in the filesystem. This
+             is done by setting user home directory to, for example,
+             /path/to/chroot/./home/username.  sshd looks for a '.' in the
+             users home directory, then calls chroot(2) to whatever directory
+             was before the . and continues with the normal ssh functionality.
+             For this to work properly you have to create special chroot-jail
+             environment in a /path/to/chroot directory.
+
      UseDNS  Specifies whether sshd should lookup the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
--- openssh-3.7.1p2/sshd_config.5	2003-09-02 14:57:05.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config.5	2003-10-07 20:49:08.000000000 +0200
@@ -580,6 +580,16 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
 .It Cm UseDNS
 Specifies whether
 .Nm sshd