Zarathustra Shall Speak » SFTP http://zarathustrashallspeak.com And you yourself are also this Will to Power. Tue, 13 Jul 2010 18:35:48 +0000 en hourly 1 http://wordpress.org/?v=3.0 CentOS + chroot’d SFTP With No Patches http://zarathustrashallspeak.com/2008/09/19/centos-chrootd-sftp-with-no-patches/ http://zarathustrashallspeak.com/2008/09/19/centos-chrootd-sftp-with-no-patches/#comments Fri, 19 Sep 2008 08:07:04 +0000 Akairenn http://zarathustrashallspeak.com/?p=37 One of our clients requires an sftp-accessible account on one of their systems, for their own clients to upload files to them. This is easy enough; the problem is that they’d really like their clients not to be able to poke around the file system of the box. This sounds like a job for chroot, no?

The problem with chroot and sftp is that it’s usually a pain to set up. Most of the documentation I’ve read makes references to grabbing the OpenSSH source and patching it. This is one of the most asinine ideas I’ve ever come across – to remove OpenSSH from your distribution’s package management system is asking to have your system compromised to hell and back. The good news is, there’s a way around this.

First, you want to grab an awesome little program called scponly.

tar -zxf the package somewhere (I suggest /opt or /usr/local/src) and change to the newly-created directory. Once there, carry out the following:

./configure --enable-winscp-compat --enable-scp-compat --enable-chrooted-binary
make
make install

Next, edit /etc/shells and add the following line to the bottom of the file:

/usr/local/sbin/scponlyc

Now change back to the scponly source directory and run:

make jail

Follow the prompts and it will create a user and home directory that is chrooted. However, for CentOS/RHEL, there are a few more steps we need to do manually. Change into the newly created home directory for your chrooted user. I’ll denote this in the following instructions by using ~chroot/

Edit ~chroot/etc/ld.so.conf and replace the contents of that file with:

/lib
/usr/lib

After that, run:

ldconfig -r ~chroot/
cp /etc/group ~chroot/etc/
mkdir ~/chroot/dev/
mknod ~chroot/dev/null c 1 3
chmod 666 ~chroot/dev/null

…And Bob’s your uncle. Unless you’re using SELinux, in which case, please view the CentOS section of scponly’s documentation (where I gathered the above info from) here.

This is quick, easy and leaves OpenSSH as it is on your system, preventing the impossible choice between having chroot, sftp and a nightmare of package mismanagement, or having sftp without chroot.

One final note: If you follow make jail’s suggestion, you’ll have a directory in the chrooted user’s home directory labelled ‘incoming’. If you want to have the user automatically taken to that directory upon logging in, modify the user’s directory in /etc/password along the following lines:

/home/directory/example//incoming

The // will cause the user to be moved to the following (in this case, incoming/) directory when they log in.

]]> http://zarathustrashallspeak.com/2008/09/19/centos-chrootd-sftp-with-no-patches/feed/ 0