OpenSSH (GNU/Linux) chroot patch for openssh-5.2p1 To chroot a SSH session into ~/ by using /./ in homedir path example: ~# useradd -d /home/sn00p/./ sn00p ~# cat /etc/passwd | grep sn00p sn00p:x:10000:10000::/home/sn00p/./:/bin/bash download & unpack the source: ~# cd /usr/src ~# wget ftp://mirror.switch.ch/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz ~# tar zxf openssh-5.2p1.tar.gz download patch & apply to source: ~# cd /usr/src/openssh-5.2p1 ~# wget http://www.cybnet.ch/misc/openssh-5.2p1-chroot.patch ~# patch -p0 < openssh-5.2p1-chroot.patch configure & compile: ~# ./configure --your-options ~# make Original patch by Ricardo Cerqueira Updated for OpenSSH 5 by Mike Mueller ==================================================================================== diff -u openssh-5.2p1/session.c.orig openssh-5.2p1/session.c --- session.c.orig 2009-22-01 09:46:01.000000000 +0100 +++ session.c 2009-03-02 13:34:59.000000000 +0100 @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.245 2009/01/22 09:46:01 djm Exp $ */ +/* $OpenBSD: session.c,v 1.245-sn0 2009/03/02 13:33:00 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -91,6 +91,8 @@ #include "monitor_wrap.h" #include "sftp.h" +#define CHROOT + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1459,6 +1461,12 @@ { char *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif + + #ifdef WITH_SELINUX /* Cache selinux status for later use */ (void)ssh_selinux_enabled(); @@ -1506,6 +1514,27 @@ exit(1); } endgrent(); + +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +#endif + # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups.