This is the mail archive of the
mailing list for the Cygwin project.
Re: Chrooted OpenSSH for Windows (rssh sftp cygwin)
- From: john m lauck <john at recaffeinated dot com>
- To: cygwin at cygwin dot com
- Date: Tue, 30 Nov 2004 22:42:21 -0500
- Subject: Re: Chrooted OpenSSH for Windows (rssh sftp cygwin)
- References: <BDCD3861.3BCFfirstname.lastname@example.org> <loom.20041130T143350email@example.com>
I actually got the chrooted sftp session to *work* (! shell commands
still work). I made these changes:
chroot /cygdrive/c/StudentsShare /usr/sbin/sftp-server
Basically, I removed the 'exec' from the chroot call. I thought maybe
there were insufficient dll's in the chroot C:\StudentsShare. I copied
all the local files from the /usr, /bin and /etc folders to my chroot
and still had the same problem with including the 'exec'. Does anyone
know how the exec effects chroot call? I donât understand how the exec
makes it more secure by replacing the current script process.
However, this doesn't stop a user from entering a ! command at the sftp
prompt. I had some luck setting file privileges/ownership but that
seems like a dangerous move to chmod/chown all the files outside of
Any ideas are welcome.
Also (in response to Christian Weinberger), I only need SFTP protocol 2.
I prefer to stick to SFTP just because it's easier to transfer a group
of files and manipulate folders etc.
With time permitting for my project I may give scponly a try.
Christian Weinberger wrote:
John M. L. <john <at> recaffeinated.com> writes:
I've been trying to implement an sftp server using OpenSSH for Windows
(http://sshwindows.sourceforge.net). I haven't found much recent discussion
on th topic of running OpenSSH in a chrooted jail on cygwin, but the
following messages from a year ago have shed some light on the topic:
I solved exactly the same problem using scponly
The current version compiles easily under recent Cygwin releases.
You only have to modify the Makefile to include some libraries explicitly.
IÂd always try to have a binary as a chroot stub and not a shell script. If you
use a shell script, you need bash and several supplemental programs in the
chroot jail which all may contain security leaks.
The tool that I used has a make option to prepare the chroot jail. It copies
all required files to the jail. So you may learn from it even if you decide to
stay with rssh.
YouÂve to make another decision:
Do you only need to support sftp protocol version 2 or also older versions.
In the first case it should be sufficient to have sftp-server.exe in the chroot
jail (plus a passwd & group). In the second case, youÂll need to have things
like bash, ls, rm and others again.
Hope this helps a bit!
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html