1 --- openssh-4.4p1/servconf.c.orig 2006-08-18 16:23:15.000000000 +0200
2 +++ openssh-4.4p1/servconf.c 2006-10-05 10:11:17.065971000 +0200
5 /* Portable-specific options */
9 + options->use_chroot = -1;
11 /* Standard Options */
12 options->num_ports = 0;
13 options->ports_from_cmdline = 0;
15 if (options->use_pam == -1)
18 + if (options->use_chroot == -1)
19 + options->use_chroot = 0;
21 /* Standard Options */
22 if (options->protocol == SSH_PROTO_UNKNOWN)
23 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
25 sBadOption, /* == unknown option */
26 /* Portable-specific options */
29 /* Standard Options */
30 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
31 sPermitRootLogin, sLogFacility, sLogLevel,
34 { "usepam", sUnsupported, SSHCFG_GLOBAL },
37 + { "usechroot", sUseChroot, SSHCFG_GLOBAL },
39 + { "usechroot", sUnsupported, SSHCFG_GLOBAL },
41 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
42 /* Standard Options */
43 { "port", sPort, SSHCFG_GLOBAL },
45 intptr = &options->use_pam;
49 + intptr = &options->use_chroot;
52 /* Standard Options */
55 --- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
56 +++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
58 int max_startups_rate;
60 char *banner; /* SSH-2 banner message */
61 + int use_chroot; /* Enable chrooted enviroment support */
63 int client_alive_interval; /*
64 * poke the client this often to
65 --- ./session.c.org 2008-05-05 16:22:11.935003283 +0200
66 +++ ./session.c 2008-05-05 16:32:50.025507650 +0200
67 @@ -1492,6 +1492,10 @@ do_setusercontext(struct passwd *pw)
76 platform_setusercontext(pw);
78 @@ -1534,6 +1538,25 @@ do_setusercontext(struct passwd *pw)
83 + } else if (options.use_chroot) {
84 + user_dir = xstrdup(pw->pw_dir);
85 + new_root = user_dir + 1;
87 + while((new_root = strchr(new_root, '.')) != NULL) {
89 + if(strncmp(new_root, "/./", 3) == 0) {
93 + if(chroot(user_dir) != 0)
94 + fatal("Couldn't chroot to user directory %s", user_dir);
95 + pw->pw_dir = new_root;
103 #ifdef HAVE_LOGIN_CAP
104 --- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
105 +++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
107 # and ChallengeResponseAuthentication to 'no'.
110 +# Set this to 'yes' to enable support for chrooted user environment.
111 +# You must create such environment before you can use this feature.
114 #AllowAgentForwarding yes
116 # http://securitytracker.com/alerts/2004/Sep/1011143.html
117 --- openssh-4.4p1/sshd_config.0.orig 2006-09-26 13:03:48.000000000 +0200
118 +++ openssh-4.4p1/sshd_config.0 2006-10-05 10:11:41.615971000 +0200
119 @@ -921,6 +921,16 @@ DESCRIPTION
120 TrustedUserCAKeys. For more details on certificates, see the
121 CERTIFICATES section in ssh-keygen(1).
124 + Specifies whether to use chroot-jail environment with ssh/sftp,
125 + i.e. restrict users to a particular area in the filesystem. This
126 + is done by setting user home directory to, for example,
127 + /path/to/chroot/./home/username. sshd looks for a '.' in the
128 + users home directory, then calls chroot(2) to whatever directory
129 + was before the . and continues with the normal ssh functionality.
130 + For this to work properly you have to create special chroot-jail
131 + environment in a /path/to/chroot directory.
133 UseDNS Specifies whether sshd(8) should look up the remote host name,
134 and to check that the resolved host name for the remote IP
135 address maps back to the very same IP address.
136 --- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100
137 +++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
139 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
140 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
143 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
144 +users to a particular area in the filesystem. This is done by setting user
145 +home directory to, for example, /path/to/chroot/./home/username.
147 +looks for a '.' in the users home directory, then calls
149 +to whatever directory was before the . and continues with the normal ssh
150 +functionality. For this to work properly you have to create special chroot-jail
151 +environment in a /path/to/chroot directory.
153 Specifies whether the system should send TCP keepalive messages to the