Note to everyone: STOP USING FTP. THERE’S NO REASON TO USE FTP! We got rid of telnet years ago, it’s time to ditch conventional FTP, too.
CentOS + chroot’d SFTP With No Patches
One of our clients requires an sftp-accessible account on one of their systems, for their own clients to upload files to them. This is easy enough; the problem is that they’d really like their clients not to be able to poke around the file system of the box. This sounds like a job for chroot, no?
The problem with chroot and sftp is that it’s usually a pain to set up. Most of the documentation I’ve read makes references to grabbing the OpenSSH source and patching it. This is one of the most asinine ideas I’ve ever come across – to remove OpenSSH from your distribution’s package management system is asking to have your system compromised to hell and back. The good news is, there’s a way around this.
First, you want to grab an awesome little program called scponly.
tar -zxf the package somewhere (I suggest /opt or /usr/local/src) and change to the newly-created directory. Once there, carry out the following:
./configure --enable-winscp-compat --enable-scp-compat --enable-chrooted-binary
make
make install
Next, edit /etc/shells and add the following line to the bottom of the file:
/usr/local/sbin/scponlyc
Now change back to the scponly source directory and run:
make jail
Follow the prompts and it will create a user and home directory that is chrooted. However, for CentOS/RHEL, there are a few more steps we need to do manually. Change into the newly created home directory for your chrooted user. I’ll denote this in the following instructions by using ~chroot/
Edit ~chroot/etc/ld.so.conf and replace the contents of that file with:
/lib
/usr/lib
After that, run:
ldconfig -r ~chroot/
cp /etc/group ~chroot/etc/
mkdir ~/chroot/dev/
mknod ~chroot/dev/null c 1 3
chmod 666 ~chroot/dev/null
…And Bob’s your uncle. Unless you’re using SELinux, in which case, please view the CentOS section of scponly’s documentation (where I gathered the above info from) here.
This is quick, easy and leaves OpenSSH as it is on your system, preventing the impossible choice between having chroot, sftp and a nightmare of package mismanagement, or having sftp without chroot.
One final note: If you follow make jail’s suggestion, you’ll have a directory in the chrooted user’s home directory labelled ‘incoming’. If you want to have the user automatically taken to that directory upon logging in, modify the user’s directory in /etc/password along the following lines:
/home/directory/example//incoming
The // will cause the user to be moved to the following (in this case, incoming/) directory when they log in.
Note: Still working out comments/etc. theming. Please ignore the ugliness.