--- openssh-4.4p1/servconf.c.orig	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.4p1/servconf.c	2006-10-05 10:11:17.065971000 +0200
@@ -56,7 +56,9 @@
 
 	/* Portable-specific options */
 	options->use_pam = -1;
-
+	
+	options->use_chroot = -1;
+	
 	/* Standard Options */
 	options->num_ports = 0;
 	options->ports_from_cmdline = 0;
@@ -131,6 +133,9 @@
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 
+	if (options->use_chroot == -1)
+		options->use_chroot = 0;
+	
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
@@ -270,6 +275,7 @@
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
 	sUsePAM,
+	sUseChroot,
 	/* Standard Options */
 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 	sPermitRootLogin, sLogFacility, sLogLevel,
@@ -312,6 +318,11 @@
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
 #endif
+#ifdef CHROOT
+	{ "usechroot", sUseChroot, SSHCFG_GLOBAL },
+#else
+	{ "usechroot", sUnsupported, SSHCFG_GLOBAL },
+#endif /* CHROOT */
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
 	{ "port", sPort, SSHCFG_GLOBAL },
@@ -662,6 +673,10 @@
 		intptr = &options->use_pam;
 		goto parse_flag;
 
+	case sUseChroot:
+		intptr = &options->use_chroot;
+		goto parse_flag;
+
 	/* Standard Options */
 	case sBadOption:
 		return -1;
--- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
@@ -109,6 +109,7 @@
 	int	max_startups_rate;
 	int	max_startups;
 	char   *banner;			/* SSH-2 banner message */
+	int     use_chroot;		/* Enable chrooted enviroment support */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- ./session.c.org	2008-05-05 16:22:11.935003283 +0200
+++ ./session.c	2008-05-05 16:32:50.025507650 +0200
@@ -1345,6 +1345,10 @@ void
 do_setusercontext(struct passwd *pw)
 {
 	char *chroot_path, *tmp;
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
 
 #ifdef WITH_SELINUX
 	/* Cache selinux status for later use */
@@ -1425,8 +1429,28 @@ do_setusercontext(struct passwd *pw)
 			/* Make sure we don't attempt to chroot again */
 			free(options.chroot_directory);
 			options.chroot_directory = NULL;
+#ifdef CHROOT
+		} else if (options.use_chroot) {
+			user_dir = xstrdup(pw->pw_dir);
+			new_root = user_dir + 1;
+
+			while((new_root = strchr(new_root, '.')) != NULL) {
+				new_root--;
+				if(strncmp(new_root, "/./", 3) == 0) {
+					*new_root = '\0';
+					new_root += 2;
+
+					if(chroot(user_dir) != 0)
+						fatal("Couldn't chroot to user directory %s", user_dir);
+					pw->pw_dir = new_root;
+					break;
+				}
+				new_root += 2;
+			}
+#endif /* CHROOT */
 		}
 
+
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
 			perror("unable to set user context (setuser)");
--- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
@@ -91,6 +91,10 @@
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature.
+#UseChroot yes
+
 #AllowAgentForwarding yes
 # Security advisory:
 # http://securitytracker.com/alerts/2004/Sep/1011143.html
--- openssh-4.4p1/sshd_config.0.orig	2006-09-26 13:03:48.000000000 +0200
+++ openssh-4.4p1/sshd_config.0	2006-10-05 10:11:41.615971000 +0200
@@ -451,6 +451,16 @@
              To disable TCP keepalive messages, the value should be set to
              ``no''.
 
+     UseChroot
+             Specifies whether to use chroot-jail environment with ssh/sftp,
+             i.e. restrict users to a particular area in the filesystem. This
+             is done by setting user home directory to, for example,
+             /path/to/chroot/./home/username.  sshd looks for a '.' in the
+             users home directory, then calls chroot(2) to whatever directory
+             was before the . and continues with the normal ssh functionality.
+             For this to work properly you have to create special chroot-jail
+             environment in a /path/to/chroot directory.
+
      UseDNS  Specifies whether sshd(8) should look up the remote host name and
              check that the resolved host name for the remote IP address maps
              back to the very same IP address.  The default is ``yes''.
--- openssh-3.8p1/sshd_config.5.orig	2004-02-18 04:31:24.000000000 +0100
+++ openssh-3.8p1/sshd_config.5	2004-02-25 21:17:23.000000000 +0100
@@ -552,6 +552,16 @@
 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
 .It Cm TCPKeepAlive
 Specifies whether the system should send TCP keepalive messages to the
 other side.