On 28.3.2011 05:53, Tom Diehl wrote:
According to https://bugzilla.redhat.com/show_bug.cgi?id=440240 and http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem. Alternately the name internal-sftp implements an in-process sftp server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients. By default no subsystems are defined. Note that this option applies to protocol version 2 only.
http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in setting this up.
Yes, it is possible to chroot with stock openssh in recent CentOS !
1. Unfortunately the Match directive is not backported, so the only possibility is to chroot all users including root. 2. The chroot is not restricted to sftp. ssh is chrooted also. 3. All users are chrooted including root
I am aware of 2 possible methods to workaround this limitations:
Configure 2 ssh daemons, one chrooted for sftp and one default. The chrooted sshd has to listen on another ip or port.
Or, alternatively (only one sshd needed) ChrootDirectory %h and change home for root to / (sounds nasty and it is ;-)
However you do it, the directory given to ChrootDirectory has to be read-only for normal users. If it were writable the user could manipulate the content of the chroot. Write access has to be restricted to a subdirectory of ChrootDirectory.