Forgot your password?
typodupeerror
Security Software

Chroot in OpenSSH 62

Posted by ScuttleMonkey
from the making-life-easier-always-my-goal dept.
bsdphx writes "OpenSSH developers Damien Miller and Markus Friedl have recently added a nifty feature to make life easier for admins. Now you can easily lock an SSH session into a chroot directory, restrict them to a built-in sftp server and apply these settings per user. And it's dead simple to do. If you need to allow semi-trusted people on your computers, then you want this bad!"
This discussion has been archived. No new comments can be posted.

Chroot in OpenSSH

Comments Filter:
  • Why bother? (Score:3, Insightful)

    by whoever57 (658626) on Wednesday February 20, 2008 @02:53PM (#22491700) Journal
    Didn't we just read that chroot "jails" are not secure?
    • Re:Why bother? (Score:4, Interesting)

      by Wesley Felter (138342) <wesley@felter.org> on Wednesday February 20, 2008 @03:02PM (#22491884) Homepage

      Didn't we just read that chroot "jails" are not secure?
      I've read those arguments and find them confusing. Sure, root can break out of a chroot, but what about non-root users?
      • I don't really know anything about chroot security either, but the first thing that occurs to me is that there's way too much code running/setuid'd as root or in kernel/driver space to just change the filesystem interface and expect that to be secure. You can't possibly lock down every interface in all of this code without a more pervasive solution.. especially since we can barely (read: we can't) keep code listening on internet-accessable ports secure from buffer/integer overflows and other tricky busine
        • is that cron and ls aren't in the chrooted filesystem. That's why they're (supposedly) more secure than just running the daemons "from" /.
    • Re:Why bother? (Score:5, Informative)

      by illegibledotorg (1123239) on Wednesday February 20, 2008 @03:06PM (#22491946)
      Giving someone a shell and putting them in a chroot crafted to look and function like a full system is one thing.

      Giving someone an SFTP session and chrooting them into a subdirectory is another thing.

      The feature added in this commit was arguably intended for the latter purpose given the additional changes to the SFTP subsystem that were included. There are countless tutorials and patches and scripts that are available to achieve chrooted SFTP-only access, but now it's been implemented in the core of OpenSSH. In my eyes, this solution is not only a "cleaner" solution to the problem, but it's probably more secure too.
      • by mike_sucks (55259)
        "Giving someone an SFTP session and chrooting them into a subdirectory is another thing."

        Yep, that's precisely why my ears perked up upon hearing this, for hosting providers that want to provide secure remote file access, this is awesome!

        /Mike

        • Re: (Score:2, Informative)

          by schon (31600)

          that's precisely why my ears perked up upon hearing this, for hosting providers that want to provide secure remote file access, this is awesome
          My question is: what took so long?

          The (now defunct) commercial SSH has had this feature for almost 10 years.
          • by mike_sucks (55259)
            Yeah, good question. I dunno - maybe everyone was standing around asking "when is someone going to do this?" and using FTP(S) in the mean time. I might have been. ;)

            /mike

    • Re:Why bother? (Score:5, Informative)

      by jandrese (485) <kensama@vt.edu> on Wednesday February 20, 2008 @03:07PM (#22491960) Homepage Journal
      They are probably better than giving semi-trusted users full filesystem access, even if they aren't perfect security. It's not even that chroot is inherently broken, it's just that people were using it incorrectly (setting it suid or letting the user become root inside of their jail). Most of the complaints seem to be "the user managed to get root and broke out of the jail", which is a problem with whatever allowed your user to become root in the first place, not the jail itself.

      Basically, to break out of a chroot you need to be root. If you're root, then you've already defeated the security on the box anyway. Don't let untrusted users become root.
    • Re:Why bother? (Score:5, Informative)

      by parcel (145162) on Wednesday February 20, 2008 @03:19PM (#22492130)

      Didn't we just read that chroot "jails" are not secure?
      You may want to take a look at http://www.openbsd.org/faq/faq10.html#httpdchroot [openbsd.org], especially the section titled "Should I use the chroot feature?".

      I imagine something similar would be forthcoming regarding OpenSSH specifically.
    • Re:Why bother? (Score:4, Informative)

      by jjohnson (62583) on Wednesday February 20, 2008 @03:21PM (#22492178) Homepage
      They're not secure for root users. That was the issue identified in the recent "read" you mention--someone was pointing out that root can break out in a particular way, and the kernel devs responded that 1) that was by design, and 2) locking that down left an infinite number of other ways to break out if you're root.

      For regular user accounts, a properly configured chroot jail is still a very useful security tool.
    • by ianezz (31449)
      Didn't we just read that chroot "jails" are not secure?

      Only when you have full shell access. This patch is just about confining sftp file transfers via chroot(2) for some users without the burden of setting up a full chrooted environment. Sounds really sweet.

    • by caseih (160668) on Wednesday February 20, 2008 @03:58PM (#22492632)
      The purpose of this feature doesn't seem to be to restrict what a shell user can do. Rather, if I read this correctly, it restricts what files a user can access via sftp. Without this feature, a user can sftp in, and then cd to / or any other folder that he has rights too. This chroot feature lets the admin limit the root to, say, his home directory, or some other folder such as a virtual web root or something.

      It's only natural that this same chroot feature would be added to sftp.
  • Oh thank god (Score:3, Interesting)

    by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Wednesday February 20, 2008 @03:20PM (#22492144) Homepage Journal

    Now I can finally switch some customers from FTP to SFTP. Thanks for making this hugely useful change!

    Anyone know if SFTP logging will be added any time soon? That's the last missing feature i always have to manually patch in.

    • Re: (Score:3, Insightful)

      by pembo13 (770295)
      All we need now is some form of virtual user system that can be mapped to a real, unprivileged user, preferably with a flexible auth system.
      • For real? My sarcasm meter is out of whack today so I can't tell.

        • by pembo13 (770295)
          For real
          • OK, just checking. It's been a long day. :-)

            Anyway, would something like Kerberos fill the bill for you? I use it to navigate around our network, and it's not that hard to do once you get over the initial learning curve. If you're stucking working with Windows, you can even auth against an Active Directory domain.

      • I really love how vsftpd works.

        This is a "Very Secure FTP Daemon" I would love for it to be configured exactly the same, but
        the transport protocol would be Sech-file-xfer draft protocol (SFTP)

        vssftpd ?

        how about just a protocol option in the config of vsftpd...

    • by David_W (35680)

      That's the last missing feature i always have to manually patch in.

      I'm still hankering for tab completion in SFTP myself... maybe someday.

      • Re: (Score:3, Informative)

        by PylonHead (61401)
        Use lftp

        It will let you connect to sftp servers, and have a sane command line experience. It also has many nifty mirroring commands.
  • I was doing openssh(+sftp) with chroot on Solaris 2.6 several years ago. Does this have some Ubuntu GUI to make it easy or something?
    • Re: (Score:3, Informative)

      by Doctor Crumb (737936)
      This is news because the chroot and sftp server are now built in to the openssh binaries, so you don't have to manually set up the chroot. While there's no GUI, it is in fact now easier to set up such a thing.
    • by LurkerXXX (667952)
      Ubuntu GUI? Where do you get Ubuntu from? This is from the folks who make OpenSSH. And OpenSSH is made by the OpenBSD folks, not Ubuntu.

      This simply makes it much easier to do what many folks have been setting up manually for a long time. I'm hoping they'll follow it up with SCP support as well. Time to buy another CD set to support the project :)
  • Nothing New (Score:2, Informative)

    by NYFreddie (84863)
    This isn't really anything new. This functionality has existed as a patch for a while. It's still nice to see that it's finally being integrated into the main tree, though.
  • Does This Mean (Score:3, Interesting)

    by ajs318 (655362) <sd_resp2NO@SPAMearthshod.co.uk> on Wednesday February 20, 2008 @04:03PM (#22492700)
    Does this mean that I can give users shell access, by placing (hard links to) a stripped-down busybox and ash in $HOME/bin, and they won't be able to access anything outside the chroot environment? That could be sweet.
  • all that for sftp? (Score:4, Interesting)

    by sgt scrub (869860) <saintium@yahoo.cMENCKENom minus author> on Wednesday February 20, 2008 @04:06PM (#22492746)
    It is cool tech but not the way I would do things. WebDav with ApacheSSL properly installed is lots safer. IMHO there should never be user accounts on a machine, other than root and the person administrating the box.
    • by evilviper (135110) on Wednesday February 20, 2008 @07:07PM (#22495562) Journal

      WebDav with ApacheSSL properly installed is lots safer.

      Why? No privilege separation. A MUCH bigger code base.

      Not to mention fewer standalone programs.

      IMHO there should never be user accounts on a machine,

      Why not? The user security model is reliable and time tested. It does not require reinventing the "user". It does not depend on one program handling it's own system of virtual permissions correctly. It does not depend on the security of a large program that users directly interact with.

      I can see ample reasons sftp is safer.
    • Re: (Score:1, Redundant)

      by weicco (645927)

      So you are running Apache as root? Scary.

  • This looks similar to the features in RSSH http://www.pizzashack.org/rssh/ [pizzashack.org]...

Man must shape his tools lest they shape him. -- Arthur R. Miller

Working...