1 diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c
2 --- openssh-8.4p1.org/servconf.c 2020-09-27 09:25:01.000000000 +0200
3 +++ openssh-8.4p1/servconf.c 2021-03-01 11:30:33.634174889 +0100
4 @@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
6 /* Portable-specific options */
10 + options->use_chroot = -1;
12 /* Standard Options */
13 options->num_ports = 0;
14 options->ports_from_cmdline = 0;
15 @@ -301,6 +303,9 @@ fill_default_server_options(ServerOption
16 if (options->use_pam == -1)
19 + if (options->use_chroot == -1)
20 + options->use_chroot = 0;
22 /* Standard Options */
23 if (options->num_host_key_files == 0) {
24 /* fill default hostkeys for protocols */
25 @@ -502,6 +507,7 @@ typedef enum {
26 sBadOption, /* == unknown option */
27 /* Portable-specific options */
30 /* Standard Options */
31 sPort, sHostKeyFile, sLoginGraceTime,
32 sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
33 @@ -556,6 +562,11 @@ static struct {
35 { "usepam", sUnsupported, SSHCFG_GLOBAL },
38 + { "usechroot", sUseChroot, SSHCFG_GLOBAL },
40 + { "usechroot", sUnsupported, SSHCFG_GLOBAL },
42 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
43 /* Standard Options */
44 { "port", sPort, SSHCFG_GLOBAL },
45 @@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO
46 intptr = &options->use_pam;
50 + intptr = &options->use_chroot;
53 /* Standard Options */
56 diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h
57 --- openssh-8.4p1.org/servconf.h 2020-09-27 09:25:01.000000000 +0200
58 +++ openssh-8.4p1/servconf.h 2021-03-01 11:30:33.637508395 +0100
59 @@ -178,6 +178,7 @@ typedef struct {
62 char *banner; /* SSH-2 banner message */
63 + int use_chroot; /* Enable chrooted enviroment support */
65 int client_alive_interval; /*
66 * poke the client this often to
67 diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c
68 --- openssh-8.4p1.org/session.c 2020-09-27 09:25:01.000000000 +0200
69 +++ openssh-8.4p1/session.c 2021-03-01 11:30:33.637508395 +0100
70 @@ -1367,6 +1367,10 @@ void
71 do_setusercontext(struct passwd *pw)
73 char uidstr[32], *chroot_path, *tmp;
79 platform_setusercontext(pw);
81 @@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw)
82 free(options.chroot_directory);
83 options.chroot_directory = NULL;
86 + } else if (!in_chroot && options.use_chroot) {
87 + user_dir = xstrdup(pw->pw_dir);
88 + new_root = user_dir + 1;
90 + while ((new_root = strchr(new_root, '.')) != NULL) {
92 + if (strncmp(new_root, "/./", 3) == 0) {
96 + if (chroot(user_dir) != 0)
97 + fatal("Couldn't chroot to user directory %s", user_dir);
98 + /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */
100 + pw->pw_dir = xstrdup(new_root);
110 #ifdef HAVE_LOGIN_CAP
111 diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
112 --- openssh-8.4p1.org/sshd_config 2021-03-01 11:30:33.370827964 +0100
113 +++ openssh-8.4p1/sshd_config 2021-03-01 11:30:33.637508395 +0100
114 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes
115 # and ChallengeResponseAuthentication to 'no'.
118 +# Set this to 'yes' to enable support for chrooted user environment.
119 +# You must create such environment before you can use this feature.
122 #AllowAgentForwarding yes
124 # http://securitytracker.com/alerts/2004/Sep/1011143.html
125 diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0
126 --- openssh-8.4p1.org/sshd_config.0 2020-09-27 09:42:11.000000000 +0200
127 +++ openssh-8.4p1/sshd_config.0 2021-03-01 11:30:33.637508395 +0100
128 @@ -1011,6 +1011,16 @@ DESCRIPTION
129 TrustedUserCAKeys. For more details on certificates, see the
130 CERTIFICATES section in ssh-keygen(1).
133 + Specifies whether to use chroot-jail environment with ssh/sftp,
134 + i.e. restrict users to a particular area in the filesystem. This
135 + is done by setting user home directory to, for example,
136 + /path/to/chroot/./home/username. sshd looks for a '.' in the
137 + users home directory, then calls chroot(2) to whatever directory
138 + was before the . and continues with the normal ssh functionality.
139 + For this to work properly you have to create special chroot-jail
140 + environment in a /path/to/chroot directory.
142 UseDNS Specifies whether sshd(8) should look up the remote host name,
143 and to check that the resolved host name for the remote IP
144 address maps back to the very same IP address.
145 diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5
146 --- openssh-8.4p1.org/sshd_config.5 2020-09-27 09:25:01.000000000 +0200
147 +++ openssh-8.4p1/sshd_config.5 2021-03-01 11:30:33.637508395 +0100
148 @@ -1640,6 +1640,16 @@ Gives the facility code that is used whe
149 The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
150 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
153 +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
154 +users to a particular area in the filesystem. This is done by setting user
155 +home directory to, for example, /path/to/chroot/./home/username.
157 +looks for a '.' in the users home directory, then calls
159 +to whatever directory was before the . and continues with the normal ssh
160 +functionality. For this to work properly you have to create special chroot-jail
161 +environment in a /path/to/chroot directory.
163 Specifies whether the system should send TCP keepalive messages to the