1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c
--- openssh-8.8p1.org/servconf.c 2021-09-26 16:03:19.000000000 +0200
+++ openssh-8.8p1/servconf.c 2021-12-09 20:13:16.486586503 +0100
@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
/* Portable-specific options */
options->use_pam = -1;
-
+
+ options->use_chroot = -1;
+
/* Standard Options */
options->num_ports = 0;
options->ports_from_cmdline = 0;
@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption
if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->use_chroot == -1)
+ options->use_chroot = 0;
+
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
@@ -486,6 +491,7 @@ typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
sUsePAM,
+ sUseChroot,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
@@ -538,6 +544,11 @@ static struct {
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
+#ifdef CHROOT
+ { "usechroot", sUseChroot, SSHCFG_GLOBAL },
+#else
+ { "usechroot", sUnsupported, SSHCFG_GLOBAL },
+#endif /* CHROOT */
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
{ "port", sPort, SSHCFG_GLOBAL },
@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO
intptr = &options->use_pam;
goto parse_flag;
+ case sUseChroot:
+ intptr = &options->use_chroot;
+ goto parse_flag;
+
/* Standard Options */
case sBadOption:
goto out;
diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.h openssh-8.8p1/servconf.h
--- openssh-8.8p1.org/servconf.h 2021-09-26 16:03:19.000000000 +0200
+++ openssh-8.8p1/servconf.h 2021-12-09 20:13:16.486586503 +0100
@@ -183,6 +183,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
+ int use_chroot; /* Enable chrooted enviroment support */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -urNp -x '*.orig' openssh-8.8p1.org/session.c openssh-8.8p1/session.c
--- openssh-8.8p1.org/session.c 2021-09-26 16:03:19.000000000 +0200
+++ openssh-8.8p1/session.c 2021-12-09 20:13:16.489919836 +0100
@@ -1359,6 +1359,10 @@ void
do_setusercontext(struct passwd *pw)
{
char uidstr[32], *chroot_path, *tmp;
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
platform_setusercontext(pw);
@@ -1401,6 +1405,29 @@ do_setusercontext(struct passwd *pw)
free(options.chroot_directory);
options.chroot_directory = NULL;
in_chroot = 1;
+#ifdef CHROOT
+ } else if (!in_chroot && options.use_chroot) {
+ user_dir = xstrdup(pw->pw_dir);
+ new_root = user_dir + 1;
+
+ while ((new_root = strchr(new_root, '.')) != NULL) {
+ new_root--;
+ if (strncmp(new_root, "/./", 3) == 0) {
+ *new_root = '\0';
+ new_root += 2;
+
+ if (chroot(user_dir) != 0)
+ fatal("Couldn't chroot to user directory %s", user_dir);
+ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
+ free(pw->pw_dir);
+ pw->pw_dir = xstrdup(new_root);
+ in_chroot = 1;
+ break;
+ }
+ new_root += 2;
+ }
+ free(user_dir);
+#endif /* CHROOT */
}
#ifdef HAVE_LOGIN_CAP
diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config
--- openssh-8.8p1.org/sshd_config 2021-12-09 20:13:16.326586503 +0100
+++ openssh-8.8p1/sshd_config 2021-12-09 20:13:16.489919836 +0100
@@ -85,6 +85,10 @@ GSSAPIAuthentication yes
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
+# Set this to 'yes' to enable support for chrooted user environment.
+# You must create such environment before you can use this feature.
+#UseChroot yes
+
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.0 openssh-8.8p1/sshd_config.0
--- openssh-8.8p1.org/sshd_config.0 2021-09-26 16:06:42.000000000 +0200
+++ openssh-8.8p1/sshd_config.0 2021-12-09 20:13:16.489919836 +0100
@@ -1053,6 +1053,16 @@ DESCRIPTION
open channels. This option may be useful in conjunction with
ChannelTimeout.
+ UseChroot
+ Specifies whether to use chroot-jail environment with ssh/sftp,
+ i.e. restrict users to a particular area in the filesystem. This
+ is done by setting user home directory to, for example,
+ /path/to/chroot/./home/username. sshd looks for a '.' in the
+ users home directory, then calls chroot(2) to whatever directory
+ was before the . and continues with the normal ssh functionality.
+ For this to work properly you have to create special chroot-jail
+ environment in a /path/to/chroot directory.
+
UseDNS Specifies whether sshd(8) should look up the remote host name,
and to check that the resolved host name for the remote IP
address maps back to the very same IP address.
diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.5 openssh-8.8p1/sshd_config.5
--- openssh-8.8p1.org/sshd_config.5 2021-09-26 16:03:19.000000000 +0200
+++ openssh-8.8p1/sshd_config.5 2021-12-09 20:13:16.489919836 +0100
@@ -1697,6 +1697,16 @@ Gives the facility code that is used whe
The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
+.It Cm UseChroot
+Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
+users to a particular area in the filesystem. This is done by setting user
+home directory to, for example, /path/to/chroot/./home/username.
+.Nm sshd
+looks for a '.' in the users home directory, then calls
+.Xr chroot 2
+to whatever directory was before the . and continues with the normal ssh
+functionality. For this to work properly you have to create special chroot-jail
+environment in a /path/to/chroot directory.
.It Cm TCPKeepAlive
Specifies whether the system should send TCP keepalive messages to the
other side.
|
