The patches 148104-16 (Sparc) and 148105-16 (x86) and newer versions of these patches have introduced a new sshd_config keyword “Match” which can be used to restrict chroot setups to specific users, groups or other selection criteria.
This example will only work if you have installed the required patches mentioned earlier. You can use the command “showrev -p | grep 148104” (or 148105 in case of x86) to check and ensure that the revision -16 or newer is available.
This example will setup a chroot environment for the testuser without affecting other users. Note that the Match keyword has to be add the end of the sshd_config file and all lines following one Match clause belong together until either a new Match block starts or the end of the file has been reached.
1. Create the target chroot environment by using the ftpconfig command:
# mkdir /export/home/chroot # ftpconfig -d /export/home/chroot/testuser Creating directory /export/home/chroot/testuser Updating directory /export/home/chroot/testuser
2. Create the user and assign a password:
# useradd -d /export/home/chroot/testuser testuser # passwd testuser New Password: Re-enter new Password: passwd: password successfully changed for testuser
3. Add the following chroot configuration line to the file /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config Match User testuser ChrootDirectory /export/home/chroot/testuser
Be sure that the configuration is at the end of the sshd_config file.
4. Restart the ssh service to activate the configuration change:
# svcadm restart ssh