[sshd_config.5]
oops, some unrelated stuff crept into that commit - backout.
spotted by jmc@
[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
[sshd_config.5]
ChrootDirectory is supported in Match blocks (in fact, it is most useful
there). Spotted by Minstrel AT minstrel.org.uk
+ - djm@cvs.openbsd.org 2008/04/04 06:44:26
+ [sshd_config.5]
+ oops, some unrelated stuff crept into that commit - backout.
+ spotted by jmc@
20080403
- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
20080403
- (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
.Dd $Mdocdate$
.Dt SSHD_CONFIG 5
.Os
.Cm Subsystem
for details).
.Pp
.Cm Subsystem
for details).
.Pp
-Please note that there are many ways to misconfigure a chroot environment
-in ways that compromise security.
-These include:
-.Pp
-.Bl -dash -offset indent -compact
-.It
-Making unsafe setuid binaries available;
-.It
-Having missing or incorrect configuration files in the chroot's
-.Pa /etc
-directory;
-.It
-Hard-linking files between the chroot and outside;
-.It
-Leaving unnecessary
-.Pa /dev
-nodes accessible inside the chroot (especially those for physical drives);
-.It
-Executing scripts or binaries inside the chroot from outside, either
-directly or through facilities such as
-.Xr cron 8 .
-.El
-.Pp
The default is not to
.Xr chroot 2 .
.It Cm Ciphers
The default is not to
.Xr chroot 2 .
.It Cm Ciphers
will force the use of an in-process sftp server that requires no support
files when used with
.Cm ChrootDirectory .
will force the use of an in-process sftp server that requires no support
files when used with
.Cm ChrootDirectory .
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to ports
forwarded for the client.
This may simplify configurations using
.Cm ChrootDirectory
to force a different filesystem root on clients.
This may simplify configurations using
.Cm ChrootDirectory
to force a different filesystem root on clients.
-Note that
-.Dq internal-sftp
-is only supported when
-.Cm UsePrivilegeSeparation
-is enabled.
.Pp
By default no subsystems are defined.
Note that this option applies to protocol version 2 only.
.Pp
By default no subsystems are defined.
Note that this option applies to protocol version 2 only.