DotNux – Unix/Linux Technical Mini Howto

June 30, 2009

“jail” sftp (OpenSSH based) to user’s home directory using ChrootDirectory option on Centos 5

Filed under: Centos 5 — Tags: , — admin @ 3:07 pm

You probably do not want to open FTP as it’s insecure, and open up SFTP, for example, you want your dreamweaver users’ SFTP option.  But, the problem here is that, SFTP uses SSH, which will give entire Linux / directory.  You want to disable SSH shell access, but, enable SFTP to their home directory only.
dreamweaver_sftp

First, you need latest version of OpenSSH (5.2 at this moment) for ChrootDirectory option to work.

If you try # yum install openssh, and it may give option of 4.2 only, then, you have to install OpenSSH 5.2 manually.
See this post on how to install OpenSSH 5.2 yourself.

Now that you have at least OpenSSH 5.2, let’s modify /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

# comment this line below
#Subsystem sftp /usr/libexec/openssh/sftp-server

# add these lines

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

save it, and execute: (username is the user name of the account that you want to give sftp access)

# groupadd sftp
# useradd username
# passwd username
(set the password of user)
# usermod -d / username
# usermod -g sftp username
(user must have a group of 'sftp')
# chown root.root /home/username

Voila! Try to connect your server via SFTP, and it works indeed.

Install OpenSSH 5.2 on CentOS 5

Filed under: Centos 5 — Tags: — admin @ 2:56 pm

Centos 5 yum doesn’t seem to support latest OpenSSH 5.2 which support many features. (it’s like 4.2)

Make sure you have development tools:

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

And then download openssh 5.2p1

# wget ftp://mirror.planetunix.net/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

Now, we’re going to build RPM based on tar.gz file:

# tar xvfz openssh-5.2p1.tar.gz
# cp ./openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp  ./openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS/
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l

drwxr-xr-x 2 root root   4096 Jun 30 12:39 .
drwxr-xr-x 9 root root   4096 Jun 30 12:35 ..
-rw-r--r-- 1 root root 271758 Jun 30 12:39 openssh-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 429852 Jun 30 12:39 openssh-clients-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 268302 Jun 30 12:39 openssh-server-5.2p1-1.i386.rpm

-rw-r--r-- 1 root root 271758 Jun 30 12:39 openssh-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 429852 Jun 30 12:39 openssh-clients-5.2p1-1.i386.rpm
-rw-r--r-- 1 root root 268302 Jun 30 12:39 openssh-server-5.2p1-1.i386.rpm

# rpm -Uvh openssh*rpm
Preparing... ################################
1: openssh ####
2: openssh-clients ####
3: openssh-server ####
# service sshd restart

Then, RPM version of SSH installs.  After restarting, it may say initlog is obsolete, but, you can ignore as that option is deprecated.

Powered by WordPress