-diff -uNr openssh-3.7p1/session.c openssh-3.7p1-chroot/session.c
---- openssh-3.7p1/session.c Mon Sep 15 21:52:19 2003
-+++ openssh-3.7p1-chroot/session.c Tue Sep 16 14:23:34 2003
-@@ -62,6 +62,8 @@
- #include "ssh-gss.h"
+diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.c openssh-8.8p1/servconf.c
+--- openssh-8.8p1.org/servconf.c 2021-09-26 16:03:19.000000000 +0200
++++ openssh-8.8p1/servconf.c 2021-12-09 20:13:16.486586503 +0100
+@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
+
+ /* Portable-specific options */
+ options->use_pam = -1;
+-
++
++ options->use_chroot = -1;
++
+ /* Standard Options */
+ options->num_ports = 0;
+ options->ports_from_cmdline = 0;
+@@ -279,6 +281,9 @@ fill_default_server_options(ServerOption
+ if (options->use_pam == -1)
+ options->use_pam = 0;
+
++ if (options->use_chroot == -1)
++ options->use_chroot = 0;
++
+ /* Standard Options */
+ if (options->num_host_key_files == 0) {
+ /* fill default hostkeys for protocols */
+@@ -486,6 +491,7 @@ typedef enum {
+ sBadOption, /* == unknown option */
+ /* Portable-specific options */
+ sUsePAM,
++ sUseChroot,
+ /* Standard Options */
+ sPort, sHostKeyFile, sLoginGraceTime,
+ sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+@@ -538,6 +544,11 @@ static struct {
+ #else
+ { "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
++#ifdef CHROOT
++ { "usechroot", sUseChroot, SSHCFG_GLOBAL },
++#else
++ { "usechroot", sUnsupported, SSHCFG_GLOBAL },
++#endif /* CHROOT */
+ { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
+ /* Standard Options */
+ { "port", sPort, SSHCFG_GLOBAL },
+@@ -1332,6 +1343,10 @@ process_server_config_line_depth(ServerO
+ intptr = &options->use_pam;
+ goto parse_flag;
-+#define CHROOT
++ case sUseChroot:
++ intptr = &options->use_chroot;
++ goto parse_flag;
+
- /* func */
-
- Session *session_new(void);
-@@ -1227,6 +1229,12 @@
- void
+ /* Standard Options */
+ case sBadOption:
+ goto out;
+diff -urNp -x '*.orig' openssh-8.8p1.org/servconf.h openssh-8.8p1/servconf.h
+--- openssh-8.8p1.org/servconf.h 2021-09-26 16:03:19.000000000 +0200
++++ openssh-8.8p1/servconf.h 2021-12-09 20:13:16.486586503 +0100
+@@ -183,6 +183,7 @@ typedef struct {
+ int max_authtries;
+ int max_sessions;
+ char *banner; /* SSH-2 banner message */
++ int use_chroot; /* Enable chrooted enviroment support */
+ int use_dns;
+ int client_alive_interval; /*
+ * poke the client this often to
+diff -urNp -x '*.orig' openssh-8.8p1.org/session.c openssh-8.8p1/session.c
+--- openssh-8.8p1.org/session.c 2021-09-26 16:03:19.000000000 +0200
++++ openssh-8.8p1/session.c 2021-12-09 20:13:16.489919836 +0100
+@@ -1359,6 +1359,10 @@ void
do_setusercontext(struct passwd *pw)
{
-+
+ char uidstr[32], *chroot_path, *tmp;
+#ifdef CHROOT
+ char *user_dir;
+ char *new_root;
+#endif /* CHROOT */
-+
- #ifndef HAVE_CYGWIN
- if (getuid() == 0 || geteuid() == 0)
- #endif /* HAVE_CYGWIN */
-@@ -1264,6 +1272,27 @@
- exit(1);
- }
- endgrent();
-+
+
+ platform_setusercontext(pw);
+
+@@ -1401,6 +1405,29 @@ do_setusercontext(struct passwd *pw)
+ free(options.chroot_directory);
+ options.chroot_directory = NULL;
+ in_chroot = 1;
+#ifdef CHROOT
-+ user_dir = xstrdup(pw->pw_dir);
-+ new_root = user_dir + 1;
++ } else if (!in_chroot && options.use_chroot) {
++ user_dir = xstrdup(pw->pw_dir);
++ new_root = user_dir + 1;
+
-+ while((new_root = strchr(new_root, '.')) != NULL) {
-+ new_root--;
-+ if(strncmp(new_root, "/./", 3) == 0) {
-+ *new_root = '\0';
-+ new_root += 2;
++ while ((new_root = strchr(new_root, '.')) != NULL) {
++ new_root--;
++ if (strncmp(new_root, "/./", 3) == 0) {
++ *new_root = '\0';
++ new_root += 2;
+
-+ if(chroot(user_dir) != 0)
-+ fatal("Couldn't chroot to user directory % s", user_dir);
-+ pw->pw_dir = new_root;
++ if (chroot(user_dir) != 0)
++ fatal("Couldn't chroot to user directory %s", user_dir);
++ /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
++ free(pw->pw_dir);
++ pw->pw_dir = xstrdup(new_root);
++ in_chroot = 1;
+ break;
+ }
+ new_root += 2;
-+ }
++ }
++ free(user_dir);
+#endif /* CHROOT */
+ }
+
+ #ifdef HAVE_LOGIN_CAP
+diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config openssh-8.8p1/sshd_config
+--- openssh-8.8p1.org/sshd_config 2021-12-09 20:13:16.326586503 +0100
++++ openssh-8.8p1/sshd_config 2021-12-09 20:13:16.489919836 +0100
+@@ -85,6 +85,10 @@ GSSAPIAuthentication yes
+ # and KbdInteractiveAuthentication to 'no'.
+ UsePAM yes
+
++# Set this to 'yes' to enable support for chrooted user environment.
++# You must create such environment before you can use this feature.
++#UseChroot yes
+
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.0 openssh-8.8p1/sshd_config.0
+--- openssh-8.8p1.org/sshd_config.0 2021-09-26 16:06:42.000000000 +0200
++++ openssh-8.8p1/sshd_config.0 2021-12-09 20:13:16.489919836 +0100
+@@ -1053,6 +1053,16 @@ DESCRIPTION
+ TrustedUserCAKeys. For more details on certificates, see the
+ CERTIFICATES section in ssh-keygen(1).
+
++ UseChroot
++ Specifies whether to use chroot-jail environment with ssh/sftp,
++ i.e. restrict users to a particular area in the filesystem. This
++ is done by setting user home directory to, for example,
++ /path/to/chroot/./home/username. sshd looks for a '.' in the
++ users home directory, then calls chroot(2) to whatever directory
++ was before the . and continues with the normal ssh functionality.
++ For this to work properly you have to create special chroot-jail
++ environment in a /path/to/chroot directory.
+
- # ifdef USE_PAM
- /*
- * PAM credentials may take the form of supplementary groups.
+ UseDNS Specifies whether sshd(8) should look up the remote host name,
+ and to check that the resolved host name for the remote IP
+ address maps back to the very same IP address.
+diff -urNp -x '*.orig' openssh-8.8p1.org/sshd_config.5 openssh-8.8p1/sshd_config.5
+--- openssh-8.8p1.org/sshd_config.5 2021-09-26 16:03:19.000000000 +0200
++++ openssh-8.8p1/sshd_config.5 2021-12-09 20:13:16.489919836 +0100
+@@ -1697,6 +1697,16 @@ Gives the facility code that is used whe
+ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
++.It Cm UseChroot
++Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
++users to a particular area in the filesystem. This is done by setting user
++home directory to, for example, /path/to/chroot/./home/username.
++.Nm sshd
++looks for a '.' in the users home directory, then calls
++.Xr chroot 2
++to whatever directory was before the . and continues with the normal ssh
++functionality. For this to work properly you have to create special chroot-jail
++environment in a /path/to/chroot directory.
+ .It Cm TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages to the
+ other side.