| version 1.84, 2008/03/25 11:58:02 |
version 1.85, 2008/04/04 05:14:38 |
|
|
| .Cm Subsystem |
.Cm Subsystem |
| for details). |
for details). |
| .Pp |
.Pp |
| |
Please note that there are many ways to misconfigure a chroot environment |
| |
in ways that compromise security. |
| |
These include: |
| |
.Pp |
| |
.Bl -dash -offset indent -compact |
| |
.It |
| |
Making unsafe setuid binaries available; |
| |
.It |
| |
Having missing or incorrect configuration files in the chroot's |
| |
.Pa /etc |
| |
directory; |
| |
.It |
| |
Hard-linking files between the chroot and outside; |
| |
.It |
| |
Leaving unnecessary |
| |
.Pa /dev |
| |
nodes accessible inside the chroot (especially those for physical drives); |
| |
.It |
| |
Executing scripts or binaries inside the chroot from outside, either |
| |
directly or through facilities such as |
| |
.Xr cron 8 . |
| |
.El |
| |
.Pp |
| The default is not to |
The default is not to |
| .Xr chroot 2 . |
.Xr chroot 2 . |
| .It Cm Ciphers |
.It Cm Ciphers |
|
|
| will force the use of an in-process sftp server that requires no support |
will force the use of an in-process sftp server that requires no support |
| files when used with |
files when used with |
| .Cm ChrootDirectory . |
.Cm ChrootDirectory . |
| |
Note that |
| |
.Dq internal-sftp |
| |
is only supported when |
| |
.Cm UsePrivilegeSeparation |
| |
is enabled. |
| .It Cm GatewayPorts |
.It Cm GatewayPorts |
| Specifies whether remote hosts are allowed to connect to ports |
Specifies whether remote hosts are allowed to connect to ports |
| forwarded for the client. |
forwarded for the client. |
|
|
| Available keywords are |
Available keywords are |
| .Cm AllowTcpForwarding , |
.Cm AllowTcpForwarding , |
| .Cm Banner , |
.Cm Banner , |
| |
.Cm ChrootDirectory , |
| .Cm ForceCommand , |
.Cm ForceCommand , |
| .Cm GatewayPorts , |
.Cm GatewayPorts , |
| .Cm GSSApiAuthentication , |
.Cm GSSApiAuthentication , |
|
|
| This may simplify configurations using |
This may simplify configurations using |
| .Cm ChrootDirectory |
.Cm ChrootDirectory |
| to force a different filesystem root on clients. |
to force a different filesystem root on clients. |
| |
Note that |
| |
.Dq internal-sftp |
| |
is only supported when |
| |
.Cm UsePrivilegeSeparation |
| |
is enabled. |
| .Pp |
.Pp |
| By default no subsystems are defined. |
By default no subsystems are defined. |
| Note that this option applies to protocol version 2 only. |
Note that this option applies to protocol version 2 only. |
![[BACK]](/icons/back.gif){kind=icon}
Return to sshd_config.5 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh