net-misc/openssh package has a 'chroot' USE flag that applies a patch making sshd to chroot on login. This approach is not very convinient because you have to setup the chroot environment for it to work. Since (IMHO) chroot for ssh is mainly used for chrooted sftp, I think that it is more reasonable to patch sftp-server itself. When set as a user's shell, it can freely chroot without the need for a prepared environment. So I propose the addition of a 'chroot_sftp' USE flag that will apply the following patch.
Created attachment 97348 [details, diff] SFTP chroot patch This is a slightly modified version of a patch found at http://web.archive.org/web/20040608153223/coding-zone.com/chroot+sftp-server.patch. Works perfectly for me.
Why don't you use net-misc/scponly for this?
(In reply to comment #2) > Why don't you use net-misc/scponly for this? > Generally, I prefer to keep the list of apps I install on my servers short and trusted. But, anyways, thanks for the hint. I'll look into it.
(In reply to comment #3) > (In reply to comment #2) > > Why don't you use net-misc/scponly for this? > > > > Generally, I prefer to keep the list of apps I install on my servers short and > trusted. But, anyways, thanks for the hint. I'll look into it. > Well, scponly is no better than the original openssh 'chroot' hack. It's just a shell wrapper and thus requires a chroot environment. It's not an implementation of the SFTP server. While patching the original sftp-server provides a lightweight solution to a problem (although it's somewhat of a hack).
Created attachment 97359 [details, diff] Slightly improved version of the sftpchroot patch Changelog: - Make sure that added code is consistently within #ifdef CHROOT - Make a copy of getpwuid()->pw_dir before messing up with it - Don't include <syslog.h>, since the logging is done with internal helpers - Move setuid check out of chroot_init function and clean it up a bit
Created attachment 97361 [details, diff] openssh ebuild patch to support the sftpchroot USE flag Add sftpchroot USE flag, apply the patch and setuid the sftp-server binary. The patch is against openssh-4.3_p2-r1.ebuild.
openssh.org is the place to submit this