[prev in list] [next in list] [prev in thread] [next in thread]
List: centos
Subject: Re: [CentOS] scp setup jailed chroot on Centos7
From: Adrian Jenzer <a.jenzer () herzogdemeuron ! com>
Date: 2017-10-24 14:08:10
Message-ID: 214B6E3C0A8D8348831C5E52B2FB4A62A117BA0B () hersrv13
[Download RAW message or body]
That's correct, forgot to mention it. We ended up using SFTP (or at least offering it to external).
-----Original Message-----
From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of rainer@ultra-secure.de
Sent: Dienstag, 24. Oktober 2017 15:24
To: CentOS mailing list
Subject: Re: [CentOS] scp setup jailed chroot on Centos7
Am 2017-10-24 12:19, schrieb Adrian Jenzer:
> Hi Rainer
> I would if I could but external offers only FTP and SCP...
>
> Regards Adrian
AFAIK, for scp you need a proper shell.
I've done that exactly once (chrooted ssh) and it was such a pain that I
vowed to never do it again.
The problem is that inside the chroot, you need:
- nameresolution
- a minimal passwd/shadow/group file (or ldap)
- maybe for scp, you can get away with a rather minimal device-tree -
but for actual SSH access, I needed a fairly complete device tree inside
the chroot (ttys ...).
- that was with FreeBSD 10, I never tried it with anything else (due to
its history with jails, creating functional, limited chroot-environments
is somewhat in its genes, so to speak)
Somebody sent me the link to these scripts:
https://github.com/codelibre-net/schroot
Maybe you can use those scripts - I've never tried them.
Also, there's scp-only:
https://github.com/scponly/scponly/wiki
Haven't used that in years, either.
Concern over that one seemed to be that it's "another" shell and nobody
had apparently done a thorough audit of it.
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic