Just to be clear, that's not going to stop a determined attacker running arbitrary commands via distccd. It will stop people accidentally logging in.
I think you wouldn't need a specific sshd in the chroot - perhaps a little wrapper under the name 'distccd' that moves into that chroot would be enough, or perhaps we could do something through the users' shell. It would be nice to document/script this. On Sun Nov 30 2014 at 1:03:12 PM Sebastian Wieseler < sebast...@nanofortnight.org> wrote: > Hey Martin! > > On Mon, Nov 17, 2014 at 06:51:47PM +0000, Martin Pool wrote: > > I don't recall the exact command, but it's probably going to be `distccd > > --inet ...something...`. You might be able to see it in the distcc > verbose > > log. > > This really helped. :-) > my .ssh/authorized_keys file looks now like: > from="xxx.xxx.xxx.xxx",no-agent-forwarding,no-port- > forwarding,no-X11-forwarding,no-pty,command="distccd --inetd" ssh-rsa … > > This works totally fine for me. > > The problem with a chroot would be, that you would need then a sshd in > that chroot as well? > To just encrypt the traffic and have some kind of authentication, a normal > sshd should do the job as well. > And since the distcc remote user can only execute "distccd --inetd" it > should be ok :) > > Thank you very much again! > Regards, Sebastian > > > -- > ,= ,-_-. =. /"\ > ((_/)o o(\_)) \ / ASCII Ribbon Campaign > `-'(. .)`-' && X against HTML e-mail > \_/ / \ > > >
__ distcc mailing list http://distcc.samba.org/ To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/distcc