Note on the SSH section that the chroot will not work if using the nodev option

in the partition and point to the latest ssh packages with the chroot patch, thanks
to Lutz Broedel for pointing these issues out.
parent d6c529a6
<!-- CVS revision of this document "$Revision: 1.19 $" -->
<!-- CVS revision of this document "$Revision: 1.20 $" -->
<appendix id="harden-step">The hardening process step by step
......@@ -1065,6 +1065,11 @@ start the <prgn>ssh</prgn> server <prgn>chroot</prgn>'ed with this command:
# chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config
</example>
<p>Notice, however, that in order for SSH to work the partition where the
chroot is setup cannot be mounted with the <em>nodev</em> option. If you use
that option, then you will get the following error: <em>PRNG is not seeded</em>,
because <file>/dev/urandom</file> does not work in the chroot.
<sect>Using <package>pam_chroot</package>
<p>Probably the easiest way is to use the <package>pam_chroot</package>
......@@ -1346,9 +1351,9 @@ is a patch available to add this functionality available from
in Debian).
The patch may be included in future releases of the OpenSSH package.
Emmanuel Lacour has <prgn>ssh</prgn> deb
packages with this feature at <url id="http://debian.home-dn.net/woody/ssh/">
but these might not be up-to-date.
Completing the compilation step is recommended, though.
packages for <em>sarge</em> with this feature. They are
available at <url id="http://debian.home-dn.net/sarge/ssh/">. Notice that
those might not be up to date so completing the compilation step is recommended.
<p>A description of all the necessary steps can be found at <url
id="http://mail.incredimail.com/howto/openssh/"> (though it is aimed
......
<!-- CVS revision of this document "$Revision: 1.34 $" -->
<!-- CVS revision of this document "$Revision: 1.35 $" -->
<chapt>Introduction
<p>
......@@ -345,6 +345,18 @@ VPN section needs to be rewritten.
<sect id="changelog">Changelog/History:
<sect id="changelog">Changelog/History:
<sect1>Version 3.5 (November 2005)
<p>Changes by Javier Fernández-Sanguino Peña
<list>
<item>Note on the SSH section that the chroot will not work if using the nodev option
in the partition and point to the latest ssh packages with the chroot patch, thanks
to Lutz Broedel for pointing these issues out.
</list>
<sect1>Version 3.4 (August-September 2005)
<p>Changes by Javier Fernández-Sanguino Peña
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment