diff options
author | Damien Miller <djm@mindrot.org> | 2008-02-10 22:40:12 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2008-02-10 22:40:12 +1100 |
commit | d8cb1f184f9acaae02bb4d15ce1e00ffbeeeac88 (patch) | |
tree | fb0100a74a6c870e835706aa487b54500510c5e1 /sshd_config.5 | |
parent | dfc24258a75a06ea8a3f56d99d3669e1a012a1dc (diff) |
- djm@cvs.openbsd.org 2008/02/08 23:24:07
[servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config]
[sshd_config.5]
add sshd_config ChrootDirectory option to chroot(2) users to a directory
and tweak internal sftp server to work with it (no special files in
chroot required). ok markus@
Diffstat (limited to 'sshd_config.5')
-rw-r--r-- | sshd_config.5 | 54 |
1 files changed, 52 insertions, 2 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index aa6720dc3..2f83bf2e1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,8 +34,8 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.80 2008/02/08 23:24:07 djm Exp $ |
38 | .Dd $Mdocdate: January 1 2008 $ | 38 | .Dd $Mdocdate: February 8 2008 $ |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -173,6 +173,45 @@ All authentication styles from | |||
173 | are supported. | 173 | are supported. |
174 | The default is | 174 | The default is |
175 | .Dq yes . | 175 | .Dq yes . |
176 | .It Cm ChrootDirectory | ||
177 | Specifies a path to | ||
178 | .Xr chroot 2 | ||
179 | to after authentication. | ||
180 | This path, and all its components, must be root-owned directories that are | ||
181 | not writable by any other user or group. | ||
182 | .Pp | ||
183 | The path may contain the following tokens that are expanded at runtime once | ||
184 | the connecting user has been authenticated: %% is replaced by a literal '%', | ||
185 | %h is replaced by the home directory of the user being authenticated, and | ||
186 | %u is replaced by the username of that user. | ||
187 | .Pp | ||
188 | The | ||
189 | .Cm ChrootDirectory | ||
190 | must contain the necessary files and directories to support the | ||
191 | users' session. | ||
192 | For an interactive session this requires at least a shell, typically | ||
193 | .Xr sh 1 , | ||
194 | and basic | ||
195 | .Pa /dev | ||
196 | nodes such as | ||
197 | .Xr null 4 , | ||
198 | .Xr zero 4 , | ||
199 | .Xr stdin 4 , | ||
200 | .Xr stdout 4 , | ||
201 | .Xr stderr 4 , | ||
202 | .Xr arandom 4 | ||
203 | and | ||
204 | .Xr tty 4 | ||
205 | devices. | ||
206 | For file transfer sessions using | ||
207 | .Dq sftp , | ||
208 | no additional configuration of the environment is necessary if the | ||
209 | in-process sftp server is used (see | ||
210 | .Cm Subsystem | ||
211 | for details. | ||
212 | .Pp | ||
213 | The default is not to | ||
214 | .Xr chroot 2 . | ||
176 | .It Cm Ciphers | 215 | .It Cm Ciphers |
177 | Specifies the ciphers allowed for protocol version 2. | 216 | Specifies the ciphers allowed for protocol version 2. |
178 | Multiple ciphers must be comma-separated. | 217 | Multiple ciphers must be comma-separated. |
@@ -740,11 +779,22 @@ The default is | |||
740 | Configures an external subsystem (e.g. file transfer daemon). | 779 | Configures an external subsystem (e.g. file transfer daemon). |
741 | Arguments should be a subsystem name and a command (with optional arguments) | 780 | Arguments should be a subsystem name and a command (with optional arguments) |
742 | to execute upon subsystem request. | 781 | to execute upon subsystem request. |
782 | .Pp | ||
743 | The command | 783 | The command |
744 | .Xr sftp-server 8 | 784 | .Xr sftp-server 8 |
745 | implements the | 785 | implements the |
746 | .Dq sftp | 786 | .Dq sftp |
747 | file transfer subsystem. | 787 | file transfer subsystem. |
788 | .Pp | ||
789 | Alternately the name | ||
790 | .Dq internal-sftp | ||
791 | implements an in-process | ||
792 | .Dq sftp | ||
793 | server. | ||
794 | This may simplify configurations using | ||
795 | .Cm ChrootDirectory | ||
796 | to force a different filesystem root on clients. | ||
797 | .Pp | ||
748 | By default no subsystems are defined. | 798 | By default no subsystems are defined. |
749 | Note that this option applies to protocol version 2 only. | 799 | Note that this option applies to protocol version 2 only. |
750 | .It Cm SyslogFacility | 800 | .It Cm SyslogFacility |