]>
Commit | Line | Data |
---|---|---|
f11993b4 PG |
1 | --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200 |
2 | +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200 | |
3 | @@ -56,7 +56,9 @@ | |
4 | ||
5 | /* Portable-specific options */ | |
6 | options->use_pam = -1; | |
7 | - | |
8 | + | |
9 | + options->use_chroot = -1; | |
10 | + | |
11 | /* Standard Options */ | |
12 | options->num_ports = 0; | |
13 | options->ports_from_cmdline = 0; | |
14 | @@ -131,6 +133,9 @@ | |
15 | if (options->use_pam == -1) | |
16 | options->use_pam = 0; | |
17 | ||
18 | + if (options->use_chroot == -1) | |
19 | + options->use_chroot = 0; | |
20 | + | |
21 | /* Standard Options */ | |
22 | if (options->protocol == SSH_PROTO_UNKNOWN) | |
23 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | |
24 | @@ -270,6 +275,7 @@ | |
25 | sBadOption, /* == unknown option */ | |
26 | /* Portable-specific options */ | |
27 | sUsePAM, | |
28 | + sUseChroot, | |
29 | /* Standard Options */ | |
30 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | |
31 | sPermitRootLogin, sLogFacility, sLogLevel, | |
32 | @@ -312,6 +318,11 @@ | |
33 | #else | |
34 | { "usepam", sUnsupported, SSHCFG_GLOBAL }, | |
35 | #endif | |
36 | +#ifdef CHROOT | |
37 | + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, | |
38 | +#else | |
39 | + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, | |
40 | +#endif /* CHROOT */ | |
41 | { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, | |
42 | /* Standard Options */ | |
43 | { "port", sPort, SSHCFG_GLOBAL }, | |
44 | @@ -662,6 +673,10 @@ | |
45 | intptr = &options->use_pam; | |
46 | goto parse_flag; | |
47 | ||
48 | + case sUseChroot: | |
49 | + intptr = &options->use_chroot; | |
50 | + goto parse_flag; | |
51 | + | |
52 | /* Standard Options */ | |
53 | case sBadOption: | |
54 | return -1; | |
55 | --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200 | |
56 | +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200 | |
57 | @@ -109,6 +109,7 @@ | |
58 | int max_startups_rate; | |
59 | int max_startups; | |
60 | char *banner; /* SSH-2 banner message */ | |
61 | + int use_chroot; /* Enable chrooted enviroment support */ | |
62 | int use_dns; | |
63 | int client_alive_interval; /* | |
64 | * poke the client this often to | |
65 | --- ./session.c.org 2008-05-05 16:22:11.935003283 +0200 | |
66 | +++ ./session.c 2008-05-05 16:32:50.025507650 +0200 | |
f6a10c37 AM |
67 | @@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw) |
68 | #ifdef USE_LIBIAF | |
69 | int doing_chroot = 0; | |
70 | #endif | |
f11993b4 PG |
71 | +#ifdef CHROOT |
72 | + char *user_dir; | |
73 | + char *new_root; | |
74 | +#endif /* CHROOT */ | |
75 | ||
f6a10c37 AM |
76 | platform_setusercontext(pw); |
77 | ||
78 | @@ -1534,6 +1538,25 @@ do_setusercontext(struct passwd *pw) | |
79 | #ifdef USE_LIBIAF | |
80 | doing_chroot = 1; | |
81 | #endif | |
f11993b4 PG |
82 | +#ifdef CHROOT |
83 | + } else if (options.use_chroot) { | |
84 | + user_dir = xstrdup(pw->pw_dir); | |
85 | + new_root = user_dir + 1; | |
86 | + | |
87 | + while((new_root = strchr(new_root, '.')) != NULL) { | |
88 | + new_root--; | |
89 | + if(strncmp(new_root, "/./", 3) == 0) { | |
90 | + *new_root = '\0'; | |
91 | + new_root += 2; | |
92 | + | |
93 | + if(chroot(user_dir) != 0) | |
94 | + fatal("Couldn't chroot to user directory %s", user_dir); | |
95 | + pw->pw_dir = new_root; | |
96 | + break; | |
97 | + } | |
98 | + new_root += 2; | |
99 | + } | |
100 | +#endif /* CHROOT */ | |
101 | } | |
102 | ||
08811ee8 | 103 | #ifdef HAVE_LOGIN_CAP |
f11993b4 PG |
104 | --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200 |
105 | +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200 | |
fc8529e5 AM |
106 | @@ -91,6 +91,10 @@ |
107 | # and ChallengeResponseAuthentication to 'no'. | |
108 | UsePAM yes | |
f11993b4 PG |
109 | |
110 | +# Set this to 'yes' to enable support for chrooted user environment. | |
fc8529e5 | 111 | +# You must create such environment before you can use this feature. |
f11993b4 PG |
112 | +#UseChroot yes |
113 | + | |
fc8529e5 AM |
114 | #AllowAgentForwarding yes |
115 | # Security advisory: | |
116 | # http://securitytracker.com/alerts/2004/Sep/1011143.html | |
f11993b4 PG |
117 | --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200 |
118 | +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200 | |
119 | @@ -451,6 +451,16 @@ | |
120 | To disable TCP keepalive messages, the value should be set to | |
121 | ``no''. | |
122 | ||
123 | + UseChroot | |
124 | + Specifies whether to use chroot-jail environment with ssh/sftp, | |
125 | + i.e. restrict users to a particular area in the filesystem. This | |
126 | + is done by setting user home directory to, for example, | |
127 | + /path/to/chroot/./home/username. sshd looks for a '.' in the | |
128 | + users home directory, then calls chroot(2) to whatever directory | |
129 | + was before the . and continues with the normal ssh functionality. | |
130 | + For this to work properly you have to create special chroot-jail | |
131 | + environment in a /path/to/chroot directory. | |
132 | + | |
133 | UseDNS Specifies whether sshd(8) should look up the remote host name and | |
134 | check that the resolved host name for the remote IP address maps | |
135 | back to the very same IP address. The default is ``yes''. | |
136 | --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100 | |
137 | +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100 | |
138 | @@ -552,6 +552,16 @@ | |
139 | The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, | |
140 | LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | |
141 | The default is AUTH. | |
142 | +.It Cm UseChroot | |
143 | +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict | |
144 | +users to a particular area in the filesystem. This is done by setting user | |
145 | +home directory to, for example, /path/to/chroot/./home/username. | |
146 | +.Nm sshd | |
147 | +looks for a '.' in the users home directory, then calls | |
148 | +.Xr chroot 2 | |
149 | +to whatever directory was before the . and continues with the normal ssh | |
150 | +functionality. For this to work properly you have to create special chroot-jail | |
151 | +environment in a /path/to/chroot directory. | |
152 | .It Cm TCPKeepAlive | |
153 | Specifies whether the system should send TCP keepalive messages to the | |
154 | other side. |