On Wed, Feb 3, 2010 at 9:26 AM, James B. Byrne <byrnejb at harte-lyne.ca>wrote: > > On Wed, February 3, 2010 09:48, Ned Slider wrote: > > James B. Byrne wrote: > >> Note: I am digest subscriber so if you could copy me directly on > >> any reply to the list I would appreciate it very much. > >> > > > > <snip> > > > >> After a modest amount of research we decided that the > >> best answer was to use a more recent version of OpenSSH > >> (5.3p1)that supports chroot as a configurable option. > >> > > > > I've not tested it, but I believe the chroot stuff was backported > > some while ago: > > > > Thank you very much for the information for I was not aware of this. > > Unfortunately, having tested the CentOS stock sshd server I discover > that this back-port is very similar to that of the sftponly hack of > several years ago. It is not the configurable chroot of > OpenSSH-5.3. To begin with, it very much appears from the > documentation as if this is an all or nothing setting; if it is on > then all ssh users are chrooted. Further, to use this feature with > interactive sessions one must copy all of the requisite system > utilities into directories under the chroot directory. > > (For an interactive session this requires at least a shell, > typically sh(1), and basic /dev nodes such as null(4), zero(4), > stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.) > > This is not a viable alternative since the system is remotely managed. > You mention two problems: 1. "all or nothing setting" 2. "copy all of the requisite system utilities" As for #1, you could run two separate SSH daemons (using different ports), so that only 1 has the chroot option. Here's a discussion about how to run two separate SSH daemons: http://www.DaleDellutri.com/prog.html As for #2, I don't understand how the fact that the system is remotely managed makes copying the files "not a viable alternative". Do you not have root access to the server? (I'm not criticising, I simply don't understand.) > So, I am left still seeking answers to my original questions. > > 1. Is it possible to mount the selinux filesystem twice on the same > host having different roots? > > 2. If so, then how is this accomplished? > > 3. If not, then is there anything else that I can do, besides > disabling selinux support in the sshd daemon, to get OpenSSH-5.3 > chroot to work with SELinux? > I am also interested in the answers to these questions. -- Dale Dellutri -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20100203/ea6e058f/attachment-0005.html>