diff options
-rw-r--r-- | sshd_config.5 | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/sshd_config.5 b/sshd_config.5 index 88fe90193..3b809c28d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.189 2015/01/13 07:39:19 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.190 2015/01/22 20:24:41 deraadt Exp $ |
37 | .Dd $Mdocdate: January 13 2015 $ | 37 | .Dd $Mdocdate: January 22 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -330,8 +330,10 @@ The default is | |||
330 | Specifies the pathname of a directory to | 330 | Specifies the pathname of a directory to |
331 | .Xr chroot 2 | 331 | .Xr chroot 2 |
332 | to after authentication. | 332 | to after authentication. |
333 | All components of the pathname must be root-owned directories that are | 333 | At session startup |
334 | not writable by any other user or group. | 334 | .Xr sshd 8 |
335 | checks that all components of the pathname are root-owned directories | ||
336 | which are not writable by any other user or group. | ||
335 | After the chroot, | 337 | After the chroot, |
336 | .Xr sshd 8 | 338 | .Xr sshd 8 |
337 | changes the working directory to the user's home directory. | 339 | changes the working directory to the user's home directory. |
@@ -368,6 +370,13 @@ inside the chroot directory on some operating systems (see | |||
368 | .Xr sftp-server 8 | 370 | .Xr sftp-server 8 |
369 | for details). | 371 | for details). |
370 | .Pp | 372 | .Pp |
373 | For safety, it is very important that the directory heirarchy be | ||
374 | prevented from modification by other processes on the system (especially | ||
375 | those outside the jail). | ||
376 | Misconfiguration can lead to unsafe environments which | ||
377 | .Xr sshd 8 | ||
378 | cannot detect. | ||
379 | .Pp | ||
371 | The default is not to | 380 | The default is not to |
372 | .Xr chroot 2 . | 381 | .Xr chroot 2 . |
373 | .It Cm Ciphers | 382 | .It Cm Ciphers |