-   Solaris / OpenSolaris (
-   -   Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1 (

saskak 12-11-2008 04:49 AM

Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1
The system is Solaris 10 with OpenSSH_5.1p1

I tried a few different ways to chroot a user, but the user can still browse around.
The user created: guests:guests
The entry in passwd:

done ftpconfig -d /dir/guests
created /etc/shells and /bin/true added
/etc/ftpd/ftpaccess modified to include:
guestuser guests
upload /dir/guests/pub * no
upload /dir/guests/pub /pub yes guests guests 0666 nodirs
upload /dir/guests/pub /pub yes guests guests 0666 nodirs

In this way the user guests can still browse the directories and is not jailed to his dir. When I replaced the shell to /bin/true, the sftp closes straight after authentication with exit status 0. I also tried /usr/bin/true (was added to /etc/shells), but exit status 0 again.

The other way I tried:
added to the /etc/ssh/sshd_config
Subsystem sftp /usr/lib/ssh/sftp-server
Match Group guests
ChrootDirectory /dir/guests
ForceCommand /usr/lib/ssh/sftp-server
AllowTcpForwarding no

Then restarted the ssh, but ssh went into maintenance and reported Bad configuration option Match, the same for ChrootDirectory and ForceCommand.
I thought Match was valid for OpenSSH_5.

I have ran out of options. I would really appreciate any help and comments. Thanks a lot.

eggixyz 12-14-2008 09:31 PM

Hey Saskak,

That's a big issue with Sol 10 (At least, it seems as though it all used to be so much easier ;)

Rather than going the full-chroot avenue (where you have to copy all the relevant binary and libraries into the chrooted environment - so your user can do "ls", etc), check out this page. I've found it to be very helpful:

Best of luck to you!

, Mike

All times are GMT -5. The time now is 02:50 PM.