[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
+ - djm@cvs.openbsd.org 2008/04/04 06:44:26
+ [sshd_config.5]
+ oops, some unrelated stuff crept into that commit - backout.
+ spotted by jmc@
20080403
- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
.Cm Subsystem
for details).
.Pp
-Please note that there are many ways to misconfigure a chroot environment
-in ways that compromise security.
-These include:
-.Pp
-.Bl -dash -offset indent -compact
-.It
-Making unsafe setuid binaries available;
-.It
-Having missing or incorrect configuration files in the chroot's
-.Pa /etc
-directory;
-.It
-Hard-linking files between the chroot and outside;
-.It
-Leaving unnecessary
-.Pa /dev
-nodes accessible inside the chroot (especially those for physical drives);
-.It
-Executing scripts or binaries inside the chroot from outside, either
-directly or through facilities such as
-.Xr cron 8 .
-.El
-.Pp
The default is not to
.Xr chroot 2 .
.It Cm Ciphers
will force the use of an in-process sftp server that requires no support
files when used with
.Cm ChrootDirectory .
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
This may simplify configurations using
.Cm ChrootDirectory
to force a different filesystem root on clients.
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
.Pp
By default no subsystems are defined.
Note that this option applies to protocol version 2 only.