James B. Byrne wrote:
Note: I am digest subscriber so if you could copy me directly on any reply to the list I would appreciate it very much.
<snip>
After a modest amount of research we decided that the best answer was to use a more recent version of OpenSSH (5.3p1)that supports chroot as a configurable option.
I've not tested it, but I believe the chroot stuff was backported some while ago:
# rpm -q --changelog openssh | more * Tue Dec 01 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-40 - close error file descriptor before running external subsystem (#537348)
* Tue Sep 15 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-36.2 - minimize chroot patch to be compatible with upstream (#522141)
* Tue Jun 23 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-36 - tiny change in chroot sftp capability into openssh-server solve ls speed problem (#440240)
* Tue May 26 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-35 - workaround to plaintext recovery attack against CBC ciphers CVE-2008-5161 (#502230)
* Fri May 15 2009 Tomas Mraz tmraz@redhat.com - 4.3p2-34 - disable protocol 1 in the FIPS mode
* Thu Apr 30 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-33 - fix scp hangup on exit (#454812) - call integrity checks only on binaries which are part of the OpenSSH FIPS modules
* Mon Apr 20 2009 Tomas Mraz tmraz@redhat.com - 4.3p2-32 - log if FIPS mode is initialized (#492363) - check the integrity of the binaries in the FIPS mode (#467268)
* Wed Apr 08 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-31 - fix ssh hangup on exit (#454812)
* Fri Mar 27 2009 Jan F. Chadima jchadima@redhat.com - 4.3p2-30 - add chroot sftp capability into openssh-server (#440240)