[CentOS] how to control sftp's user file folder

Tue Mar 1 13:29:56 UTC 2011
Markus Falb <markus.falb at fasel.at>

On 1.3.2011 13:53, Nico Kadel-Garcia wrote:
> On Mon, Feb 28, 2011 at 10:53 AM, Eero Volotinen <eero.volotinen-X3B1VOXEql0 at public.gmane.org> wrote:

>> scponly chrooted is the easiest way.
> 
> No, sftp is actually supported, somewhat, in OpenSSH 5 for this to
> work well, which is not in CentOS 5, and integrating it to CentOS 5 is
> problematic. 

Since CentOS 5.4(?) it is possible to say something like

Subsystem	sftp	internal-sftp
ChrootDirectory %h

This is due to a somewhat partial backport of the chroot feature in
OpenSSH. The problem I see is that it is global, no way to restrict the
chroot to a group of users, so root is chrooted too. But if chrooted
sftp is really required one could configure a second daemon listening on
a different IP or maybe port.

https://rhn.redhat.com/errata/RHSA-2009-1287.html

> It's also awkward to maintain, the chroot cages require
> the relevant binaries nad libraries in each user's chroot cage. (I
> used to publish the software changes for this, years back under SunOS
> and RedHat 5.2, not RHEL 5.2).

As far as sftp is concerned in newer openssh (and this is also true for
the sftp in current CentOS) there is no need any more to maintain the
chroot. Just configure sshd and you are ready to go.

-- 
Best Regards, Markus Falb

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20110301/018a3e5d/attachment-0005.sig>