<div class="gmail_quote">On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne <span dir="ltr"><<a href="mailto:byrnejb@harte-lyne.ca">byrnejb@harte-lyne.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im"><br>
On Wed, February 3, 2010 09:48, Ned Slider wrote:<br>
> James B. Byrne wrote:<br>
>> Note: I am digest subscriber so if you could copy me directly on<br>
>> any reply to the list I would appreciate it very much.<br>
>><br>
><br>
> <snip><br>
><br>
>> After a modest amount of research we decided that the<br>
>> best answer was to use a more recent version of OpenSSH<br>
>> (5.3p1)that supports chroot as a configurable option.<br>
>><br>
><br>
> I've not tested it, but I believe the chroot stuff was backported<br>
> some while ago:<br>
><br>
<br>
</div>Thank you very much for the information for I was not aware of this.<br>
<br>
Unfortunately, having tested the CentOS stock sshd server I discover<br>
that this back-port is very similar to that of the sftponly hack of<br>
several years ago. It is not the configurable chroot of<br>
OpenSSH-5.3. To begin with, it very much appears from the<br>
documentation as if this is an all or nothing setting; if it is on<br>
then all ssh users are chrooted. Further, to use this feature with<br>
interactive sessions one must copy all of the requisite system<br>
utilities into directories under the chroot directory.<br>
<br>
(For an interactive session this requires at least a shell,<br>
typically sh(1), and basic /dev nodes such as null(4), zero(4),<br>
stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)<br>
<br>
This is not a viable alternative since the system is remotely managed.<br></blockquote><div><br>You mention two problems:<br> 1. "all or nothing setting"<br> 2. "copy all of the requisite system utilities"<br>
<br>As for #1, you could run two separate SSH daemons (using different<br>ports), so that only 1 has the chroot option. Here's a discussion about<br>how to run two separate SSH daemons:<br> <a href="http://www.DaleDellutri.com/prog.html">http://www.DaleDellutri.com/prog.html</a><br>
<br>As for #2, I don't understand how the fact that the system is remotely<br>managed makes copying the files "not a viable alternative". Do you<br>not have root access to the server? (I'm not criticising, I simply don't<br>
understand.)<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
So, I am left still seeking answers to my original questions.<br>
<div class="im"><br>
1. Is it possible to mount the selinux filesystem twice on the same<br>
host having different roots?<br>
<br>
2. If so, then how is this accomplished?<br>
<br>
3. If not, then is there anything else that I can do, besides<br>
</div>disabling selinux support in the sshd daemon, to get OpenSSH-5.3<br>
chroot to work with SELinux?<br></blockquote><div><br>I am also interested in the answers to these questions. <br></div></div><br>-- <br>Dale Dellutri<br>