On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne byrnejb@harte-lyne.cawrote:
On Wed, February 3, 2010 09:48, Ned Slider wrote:
James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on any reply to the list I would appreciate it very much.
<snip>
After a modest amount of research we decided that the best answer was to use a more recent version of OpenSSH (5.3p1)that supports chroot as a configurable option.
I've not tested it, but I believe the chroot stuff was backported some while ago:
Thank you very much for the information for I was not aware of this.
Unfortunately, having tested the CentOS stock sshd server I discover that this back-port is very similar to that of the sftponly hack of several years ago. It is not the configurable chroot of OpenSSH-5.3. To begin with, it very much appears from the documentation as if this is an all or nothing setting; if it is on then all ssh users are chrooted. Further, to use this feature with interactive sessions one must copy all of the requisite system utilities into directories under the chroot directory.
(For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.)
This is not a viable alternative since the system is remotely managed.
You mention two problems: 1. "all or nothing setting" 2. "copy all of the requisite system utilities"
As for #1, you could run two separate SSH daemons (using different ports), so that only 1 has the chroot option. Here's a discussion about how to run two separate SSH daemons: http://www.DaleDellutri.com/prog.html
As for #2, I don't understand how the fact that the system is remotely managed makes copying the files "not a viable alternative". Do you not have root access to the server? (I'm not criticising, I simply don't understand.)
So, I am left still seeking answers to my original questions.
- Is it possible to mount the selinux filesystem twice on the same
host having different roots?
If so, then how is this accomplished?
If not, then is there anything else that I can do, besides
disabling selinux support in the sshd daemon, to get OpenSSH-5.3 chroot to work with SELinux?
I am also interested in the answers to these questions.