This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Chrooted OpenSSH for Windows (rssh sftp cygwin)

Thanks, Christian!

I actually got the chrooted sftp session to *work* (! shell commands still work). I made these changes:


chroot /cygdrive/c/StudentsShare /usr/sbin/sftp-server


Basically, I removed the 'exec' from the chroot call. I thought maybe there were insufficient dll's in the chroot C:\StudentsShare. I copied all the local files from the /usr, /bin and /etc folders to my chroot and still had the same problem with including the 'exec'. Does anyone know how the exec effects chroot call? I donât understand how the exec makes it more secure by replacing the current script process.
However, this doesn't stop a user from entering a ! command at the sftp prompt. I had some luck setting file privileges/ownership but that seems like a dangerous move to chmod/chown all the files outside of C:\StudentsShare.

Any ideas are welcome.

Also (in response to Christian Weinberger), I only need SFTP protocol 2.
I prefer to stick to SFTP just because it's easier to transfer a group of files and manipulate folders etc.

With time permitting for my project I may give scponly a try.

Christian Weinberger wrote:
John M. L. <john <at>> writes:

I've been trying to implement an sftp server using OpenSSH for Windows
(  I haven't found much recent discussion
on th topic of running OpenSSH in a chrooted jail on cygwin, but the
following messages from a year ago have shed some light on the topic:

I solved exactly the same problem using scponly (
The current version compiles easily under recent Cygwin releases.
You only have to modify the Makefile to include some libraries explicitly.

IÂd always try to have a binary as a chroot stub and not a shell script. If you use a shell script, you need bash and several supplemental programs in the chroot jail which all may contain security leaks.

The tool that I used has a make option to prepare the chroot jail. It copies all required files to the jail. So you may learn from it even if you decide to stay with rssh.

YouÂve to make another decision:
Do you only need to support sftp protocol version 2 or also older versions.
In the first case it should be sufficient to have sftp-server.exe in the chroot jail (plus a passwd & group). In the second case, youÂll need to have things like bash, ls, rm and others again.

Hope this helps a bit!

-- Unsubscribe info: Problem reports: Documentation: FAQ:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]