On Sun, 27 Mar 2011, Nico Kadel-Garcia wrote:
On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis PoMec@pomec.net wrote:
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
rhel / centos contains openssh with backported chroot:
rpm -q --changelog openssh-server | grep chroot
- minimize chroot patch to be compatible with upstream (#522141)
- tiny change in chroot sftp capability into openssh-server solve ls
speed problem (#440240)
- add chroot sftp capability into openssh-server (#440240)
- enable the subprocess in chroot to send messages to system log
Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by getting "Centrify" and their tools from www.centrify.com. Centrify also includes good tools for integration with Active Directory based authentication, very useful in a mixed environment where you don't have the political pull to get the AD administratiors in the same room to discuss how LDAP and Kerberos actually work and why Linux can cooperate with it. Being able to wave that magic "commercially supported" wand seems to help with those meetings, and it's actually a pretty good toolkit.
The above appears to be wrong wrt to chrooting sftp on C5.
According to https://bugzilla.redhat.com/show_bug.cgi?id=440240 and http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem. Alternately the name internal-sftp implements an in-process sftp server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.
By default no subsystems are defined. Note that this option applies to protocol version 2 only.
http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in setting this up.
Of course I could be wrong since I have not tried this yet but it is on my short list for this week.
Regards,