Results 1 to 3 of 3
Thread: SFTP server chrooted
Enjoy an ad free experience by logging in. Not a member yet? Register.
SFTP server chrooted
I have got allowsftp in my rssh.conf and I've also got /dev/null and /dev/log inside the jail, as well as library dependencies. I actually compiled a static openssh and static rssh to minimize the need for libraries inside the jails, so really I only have the following in my jail:
srw-rw-rw- 1 root root 0 Mar 26 18:49 dev/log crw-rw-rw- 1 root root 1, 3 Mar 27 14:43 dev/null -rw-r--r-- 1 root root 13 Mar 27 17:48 etc/group -rw-r--r-- 1 root root 44 Mar 27 16:49 etc/passwd -rw-r--r-- 1 root root 59 Mar 27 17:48 etc/shadow -rwxr-xr-x 1 root root 109696 Mar 27 14:40 lib/ld-linux.so.2 -rwxr-xr-x 1 root root 22456 Mar 27 14:40 lib/libcrypt.so.1 -rwxr-xr-x 1 root root 30836 Mar 27 14:41 lib/libnss_compat.so.2 -rwxr-xr-x 1 root root 578776 Mar 27 17:03 usr/bin/sftp usr/lib/misc: total 1108 -rwx--x--x 1 root root 573240 Mar 27 14:38 rssh_chroot_helper -rwxr-xr-x 1 root root 549164 Mar 27 14:39 sftp-server
Do you have a better way of doing a chrooted sftp server, perhaps without libraries inside the jail?
03-28-2007 #2Do you have a better way of doing a chrooted sftp server, perhaps without libraries inside the jail?
This is a common problem/question, and I haven't found a solution that I'm thrilled about yet. I will let you know if something revolutionary pans out of that discussion (assuming it's not FBSD-specific, that is).
What I have done in the past is used scponly which (I think) is pretty similar in concept to rssh. It's easy to install and configure. If you want to chroot the sftp sessions it is a bit more work, but it is all well documented. Using chrooted sftp w/ scponly means having another suid binary, though.
Anyway, good luck. I'll tack on a reply if I learn something relevant.
thanks i've switched to scponly as somebody said rssh was lame and I have to say that scponly seems easier, but so far my setup is not working with the chroot and I've been going nuts trying to make this work...