[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.

Radu Radutiu rradutiu at gmail.com
Thu Feb 4 10:28:04 UTC 2010


Just for the reference if you want to keep SELINUX enabled and create
a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only
you can do the following:

-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config /etc/ssh/sftpd_config

-chage /add the following lines in sftpd_config
Port 1234
ChrootDirectory %h
Subsystem	sftp	internal-sftp
AllowUsers externaluser


-let SELINUX know that port 1234 (or whatever you put in your
sftpd_config)  is of type ssh_port_t

semanage port -a -t ssh_port_t -p tcp -n 1234

-make sure that the sftp user's home directory respects the
requirements of ChrootDirectory sshd_config directive :  This path,
and all its components, must be root-owned directories that are not
writable by any other user or group. For file transfer sessions using
“sftp”, no additional configuration of the environment is necessary if
the in-process sftp server is used
chown root  /home/externaluser
chmod g-w /home/externaluser

-create a directory in which externaluser will be able to write
mkdir /home/externaluser/upload
chown externaluser /home/externaluser/upload

- create a copy of /etc/init.d/sshd init script
cp /etc/init.d/sshd /etc/init.d/sftpd
- modify it to reflect the sftpd_config config file and a new pid file
- make it start automatically
chkconfig sftpd --add sftp

Radu


More information about the CentOS mailing list