RHEL 5.4 & Chrooted SFTP
7,237
I just built the tarballs from openssh.org for our RHEL5 boxes. Current OpenSSH has this chroot functionality built in and it's pretty easy to set up.
I think the RPM's from openssh.org even have a template spec file, so rebuilding an RPM is easy as pie too.
Author by
Josh Brower
Information Security. SANS GSE #143. Course author of LearnOsquery.com. Lover of History & Coffee.
Updated on September 17, 2022Comments
-
Josh Brower almost 2 years
According to release notes, RHEL 5.4 included an update to setup chrooted SFTP accounts natively. But from what I am seeing, it is all or nothing--This means that even root is chrooted if you go this route.
Has anybody used this successfully? How did you configure it so that you could still do sysadmin tasks, if root is chrooted?
Thanks-
Josh
-
Josh Brower over 14 yearsCan you describe how you are going to set it up?
-
Josh Brower over 14 yearsI am looking more for the configuration of the chroot + sftp setup than how to install openssh.
-
joschi over 14 yearsOpenSSH 4.9 and higher comes with builtin chroot-capability for
sftp-server
(andinternal-sftp
) which can be setup on a per-user basis. Since CentOS 5.4 comes with OpenSSH 4.3 you'd have to upgrade your OpenSSH installation if you do not want to use the patched chrooted SSH server which comes with your Linux distribution. -
joschi over 14 yearsAnd BTW: you asked how to setup a recent version of OpenSSH in your comment to wzzrd's answer.
-
Josh Brower over 14 yearsJust to be more clear, can you describe how you are going to setup sftp and chrooting for your users.
-
Govindarajulu over 14 yearsI'm enjoying a nice vacation atm, so I can't check, but it's in the lines of what is described here: debian-administration.org/articles/590. (I cannot do syntaxy stuff in a comment, so I Googled you a solution that works similar to mine).
-
joschi over 14 yearsYour solution requires OpenSSH 4.9 or higher which isn't available on RHEL 5.4 as an official package. There are also several other answers here pointing in that direction.
-
bdkosher over 14 yearsThat's not correct. Red Hat partially backported the feature. See rhn.redhat.com/errata/RHSA-2009-1287.html
-
icecbr over 13 yearsInstructions on how to build this: binblog.info/2009/02/27/packaging-openssh-on-centos
-
Mei over 12 yearsHowever, only the
ChrootDirectory
config option was backported by Red Hat (as of openssh-4.3p2-36.el5.i386.rpm and up); the other config option normally used here isMatch
which is still not available as of openssh-server-4.3p2-72.el5_7.5 - though it's marvelous and wonderful that any backporting is happening at all.