Restricting ssh
I’m looking into using rssh, primarily for use at but also as a useful wrapper for ssh at home, allowing me to create ssh-enabled accounts for friends that I can then send into a chroot jail.
Trying this with Debian/sarge I ran into one minor catch: The newer OpenSSH package uses /usr/lib/openssh/sftp-server while rssh assumes the path is /usr/lib/sftp-server, and it’s hard-coded in the binary.
The work-around is fairly straightforward:
- Create a symlink from the actual path to the expected path:
ln -s /usr/lib/openssh/sftp-server /usr/lib/sftp-server
- Edit /etc/ssh/sshd_config and adjust the path for Subsystem sftp so it points to the path rssh expects.
Not difficult once you see it, but initially I didn’t realize that the path for sftp-server wasn’t hardcoded in OpenSSH and wondered if I’d have to recompile it myself so I spent some time digging around for precompiled fixed packages.
Now to set up a nice chroot jail to play with…