From 56f41ddc5472ef04f20c59ec94a74825b8439898 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:28:19 +1000 Subject: [PATCH] - djm@cvs.openbsd.org 2008/04/04 06:44:26 [sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@ --- ChangeLog | 6 +++++- sshd_config.5 | 37 ++----------------------------------- 2 files changed, 7 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd8602954..f0ecbe21a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk + - djm@cvs.openbsd.org 2008/04/04 06:44:26 + [sshd_config.5] + oops, some unrelated stuff crept into that commit - backout. + spotted by jmc@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3864,4 +3868,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $ +$Id: ChangeLog,v 1.4907 2008/05/19 04:28:19 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index be3869713..601b56402 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $ -.Dd $Mdocdate: April 4 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $ +.Dd $Mdocdate: May 19 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -210,29 +210,6 @@ in-process sftp server is used (see .Cm Subsystem for details). .Pp -Please note that there are many ways to misconfigure a chroot environment -in ways that compromise security. -These include: -.Pp -.Bl -dash -offset indent -compact -.It -Making unsafe setuid binaries available; -.It -Having missing or incorrect configuration files in the chroot's -.Pa /etc -directory; -.It -Hard-linking files between the chroot and outside; -.It -Leaving unnecessary -.Pa /dev -nodes accessible inside the chroot (especially those for physical drives); -.It -Executing scripts or binaries inside the chroot from outside, either -directly or through facilities such as -.Xr cron 8 . -.El -.Pp The default is not to .Xr chroot 2 . .It Cm Ciphers @@ -363,11 +340,6 @@ Specifying a command of will force the use of an in-process sftp server that requires no support files when used with .Cm ChrootDirectory . -Note that -.Dq internal-sftp -is only supported when -.Cm UsePrivilegeSeparation -is enabled. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -830,11 +802,6 @@ server. This may simplify configurations using .Cm ChrootDirectory to force a different filesystem root on clients. -Note that -.Dq internal-sftp -is only supported when -.Cm UsePrivilegeSeparation -is enabled. .Pp By default no subsystems are defined. Note that this option applies to protocol version 2 only.