[CentOS] OpenSSH-5.3p1 selinux problem on CentOS-5.4.
Radu Radutiu
rradutiu at gmail.com
Thu Feb 4 10:28:04 UTC 2010
Just for the reference if you want to keep SELINUX enabled and create
a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only
you can do the following:
-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
-chage /add the following lines in sftpd_config
Port 1234
ChrootDirectory %h
Subsystem sftp internal-sftp
AllowUsers externaluser
-let SELINUX know that port 1234 (or whatever you put in your
sftpd_config) is of type ssh_port_t
semanage port -a -t ssh_port_t -p tcp -n 1234
-make sure that the sftp user's home directory respects the
requirements of ChrootDirectory sshd_config directive : This path,
and all its components, must be root-owned directories that are not
writable by any other user or group. For file transfer sessions using
“sftp”, no additional configuration of the environment is necessary if
the in-process sftp server is used
chown root /home/externaluser
chmod g-w /home/externaluser
-create a directory in which externaluser will be able to write
mkdir /home/externaluser/upload
chown externaluser /home/externaluser/upload
- create a copy of /etc/init.d/sshd init script
cp /etc/init.d/sshd /etc/init.d/sftpd
- modify it to reflect the sftpd_config config file and a new pid file
- make it start automatically
chkconfig sftpd --add sftp
Radu
More information about the CentOS
mailing list