diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c --- openssh-8.4p1.org/servconf.c 2020-09-27 09:25:01.000000000 +0200 +++ openssh-8.4p1/servconf.c 2021-03-01 11:30:33.634174889 +0100 @@ -92,7 +92,9 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; - + + options->use_chroot = -1; + /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; @@ -301,6 +303,9 @@ fill_default_server_options(ServerOption if (options->use_pam == -1) options->use_pam = 0; + if (options->use_chroot == -1) + options->use_chroot = 0; + /* Standard Options */ if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ @@ -502,6 +507,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ sUsePAM, + sUseChroot, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, @@ -556,6 +562,11 @@ static struct { #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif +#ifdef CHROOT + { "usechroot", sUseChroot, SSHCFG_GLOBAL }, +#else + { "usechroot", sUnsupported, SSHCFG_GLOBAL }, +#endif /* CHROOT */ { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ { "port", sPort, SSHCFG_GLOBAL }, @@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO intptr = &options->use_pam; goto parse_flag; + case sUseChroot: + intptr = &options->use_chroot; + goto parse_flag; + /* Standard Options */ case sBadOption: return -1; diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h --- openssh-8.4p1.org/servconf.h 2020-09-27 09:25:01.000000000 +0200 +++ openssh-8.4p1/servconf.h 2021-03-01 11:30:33.637508395 +0100 @@ -178,6 +178,7 @@ typedef struct { int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ + int use_chroot; /* Enable chrooted enviroment support */ int use_dns; int client_alive_interval; /* * poke the client this often to diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c --- openssh-8.4p1.org/session.c 2020-09-27 09:25:01.000000000 +0200 +++ openssh-8.4p1/session.c 2021-03-01 11:30:33.637508395 +0100 @@ -1367,6 +1367,10 @@ void do_setusercontext(struct passwd *pw) { char uidstr[32], *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ platform_setusercontext(pw); @@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw) free(options.chroot_directory); options.chroot_directory = NULL; in_chroot = 1; +#ifdef CHROOT + } else if (!in_chroot && options.use_chroot) { + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if (chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + /* NOTE: session->pw comes from pwcopy(), so replace pw_dir this way (incompatible with plain getpwnam() or getpwnam_r()) */ + free(pw->pw_dir); + pw->pw_dir = xstrdup(new_root); + in_chroot = 1; + break; + } + new_root += 2; + } + free(user_dir); +#endif /* CHROOT */ } #ifdef HAVE_LOGIN_CAP diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config --- openssh-8.4p1.org/sshd_config 2021-03-01 11:30:33.370827964 +0100 +++ openssh-8.4p1/sshd_config 2021-03-01 11:30:33.637508395 +0100 @@ -85,6 +85,10 @@ GSSAPIAuthentication yes # and ChallengeResponseAuthentication to 'no'. UsePAM yes +# Set this to 'yes' to enable support for chrooted user environment. +# You must create such environment before you can use this feature. +#UseChroot yes + #AllowAgentForwarding yes # Security advisory: # http://securitytracker.com/alerts/2004/Sep/1011143.html diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0 --- openssh-8.4p1.org/sshd_config.0 2020-09-27 09:42:11.000000000 +0200 +++ openssh-8.4p1/sshd_config.0 2021-03-01 11:30:33.637508395 +0100 @@ -1011,6 +1011,16 @@ DESCRIPTION TrustedUserCAKeys. For more details on certificates, see the CERTIFICATES section in ssh-keygen(1). + UseChroot + Specifies whether to use chroot-jail environment with ssh/sftp, + i.e. restrict users to a particular area in the filesystem. This + is done by setting user home directory to, for example, + /path/to/chroot/./home/username. sshd looks for a '.' in the + users home directory, then calls chroot(2) to whatever directory + was before the . and continues with the normal ssh functionality. + For this to work properly you have to create special chroot-jail + environment in a /path/to/chroot directory. + UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5 --- openssh-8.4p1.org/sshd_config.5 2020-09-27 09:25:01.000000000 +0200 +++ openssh-8.4p1/sshd_config.5 2021-03-01 11:30:33.637508395 +0100 @@ -1640,6 +1640,16 @@ Gives the facility code that is used whe The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm UseChroot +Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict +users to a particular area in the filesystem. This is done by setting user +home directory to, for example, /path/to/chroot/./home/username. +.Nm sshd +looks for a '.' in the users home directory, then calls +.Xr chroot 2 +to whatever directory was before the . and continues with the normal ssh +functionality. For this to work properly you have to create special chroot-jail +environment in a /path/to/chroot directory. .It Cm TCPKeepAlive Specifies whether the system should send TCP keepalive messages to the other side.