1

According to release notes, RHEL 5.4 included an update to setup chrooted SFTP accounts natively. But from what I am seeing, it is all or nothing--This means that even root is chrooted if you go this route.

Has anybody used this successfully? How did you configure it so that you could still do sysadmin tasks, if root is chrooted?

Thanks-

Josh

Josh Brower
  • 1,669
  • 3
  • 18
  • 29

3 Answers3

3

I just built the tarballs from openssh.org for our RHEL5 boxes. Current OpenSSH has this chroot functionality built in and it's pretty easy to set up.

I think the RPM's from openssh.org even have a template spec file, so rebuilding an RPM is easy as pie too.

wzzrd
  • 10,409
  • 2
  • 35
  • 47
  • Can you describe how you are going to set it up? – Josh Brower Dec 22 '09 at 20:48
  • Just to be more clear, can you describe how you are going to setup sftp and chrooting for your users. – Josh Brower Dec 22 '09 at 23:16
  • I'm enjoying a nice vacation atm, so I can't check, but it's in the lines of what is described here: http://www.debian-administration.org/articles/590. (I cannot do syntaxy stuff in a comment, so I Googled you a solution that works similar to mine). – wzzrd Dec 23 '09 at 05:03
  • Instructions on how to build this: http://binblog.info/2009/02/27/packaging-openssh-on-centos/ – JamesHannah Jan 10 '11 at 16:52
0

One possibility is to set the root user home directory (or whoever the admin users are) to "/". I don't know what the downsides to this approach are, but it seems to work.

In my case, I'm considering setting

sshd_config:

#chroot to home directory. Root gets /. Users get /var/www. 
ChrootDirectory %h  
Subsystem       sftp    internal-sftp

passwd:

root:x:0:0:root:/:/bin/bash
joe:x:500:500::/var/www:/bin/bash

Then, 'joe' will have a subfolderfolder in /var/www that he has access to.

elijahbuck
  • 450
  • 1
  • 3
  • 8
  • Your solution requires OpenSSH 4.9 or higher which isn't available on RHEL 5.4 as an official package. There are also several other answers here pointing in that direction. – joschi Jan 09 '10 at 10:33
  • That's not correct. Red Hat partially backported the feature. See http://rhn.redhat.com/errata/RHSA-2009-1287.html – elijahbuck Jan 09 '10 at 16:57
  • However, only the `ChrootDirectory` config option was backported by Red Hat (as of openssh-4.3p2-36.el5.i386.rpm and up); the other config option normally used here is `Match` which is still not available as of openssh-server-4.3p2-72.el5_7.5 - though it's marvelous and wonderful that any backporting is happening at all. – Mei Nov 03 '11 at 22:18
0

This article describes how to build an RPM for CentOS 5 of a recent version of OpenSSH.

joschi
  • 21,387
  • 3
  • 47
  • 50
  • I am looking more for the configuration of the chroot + sftp setup than how to install openssh. – Josh Brower Dec 22 '09 at 22:13
  • OpenSSH 4.9 and higher comes with builtin chroot-capability for `sftp-server` (and `internal-sftp`) which can be setup on a per-user basis. Since CentOS 5.4 comes with OpenSSH 4.3 you'd have to upgrade your OpenSSH installation if you do not want to use the patched chrooted SSH server which comes with your Linux distribution. – joschi Dec 22 '09 at 22:33
  • And BTW: you asked how to setup a recent version of OpenSSH in your comment to wzzrd's answer. – joschi Dec 22 '09 at 22:35