[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.
James B. Byrne
byrnejb at harte-lyne.ca
Wed Feb 3 15:26:51 UTC 2010
On Wed, February 3, 2010 09:48, Ned Slider wrote:
> James B. Byrne wrote:
>> Note: I am digest subscriber so if you could copy me directly on
>> any reply to the list I would appreciate it very much.
>> After a modest amount of research we decided that the
>> best answer was to use a more recent version of OpenSSH
>> (5.3p1)that supports chroot as a configurable option.
> I've not tested it, but I believe the chroot stuff was backported
> some while ago:
Thank you very much for the information for I was not aware of this.
Unfortunately, having tested the CentOS stock sshd server I discover
that this back-port is very similar to that of the sftponly hack of
several years ago. It is not the configurable chroot of
OpenSSH-5.3. To begin with, it very much appears from the
documentation as if this is an all or nothing setting; if it is on
then all ssh users are chrooted. Further, to use this feature with
interactive sessions one must copy all of the requisite system
utilities into directories under the chroot directory.
(For an interactive session this requires at least a shell,
typically sh(1), and basic /dev nodes such as null(4), zero(4),
stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)
This is not a viable alternative since the system is remotely managed.
So, I am left still seeking answers to my original questions.
1. Is it possible to mount the selinux filesystem twice on the same
host having different roots?
2. If so, then how is this accomplished?
3. If not, then is there anything else that I can do, besides
disabling selinux support in the sshd daemon, to get OpenSSH-5.3
chroot to work with SELinux?
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the CentOS