On Thu, February 4, 2010 05:28, Radu Radutiu wrote:
Just for the reference if you want to keep SELINUX enabled and create a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only you can do the following:
-create a copy of /etc/ssh/sshd_config e.g. cp /etc/ssh/sshd_config /etc/ssh/sftpd_config
-chage /add the following lines in sftpd_config Port 1234 ChrootDirectory %h Subsystem sftp internal-sftp AllowUsers externaluser
-let SELINUX know that port 1234 (or whatever you put in your sftpd_config) is of type ssh_port_t
semanage port -a -t ssh_port_t -p tcp -n 1234
-make sure that the sftp user's home directory respects the requirements of ChrootDirectory sshd_config directive : This path, and all its components, must be root-owned directories that are not writable by any other user or group. For file transfer sessions using âsftpâ, no additional configuration of the environment is necessary if the in-process sftp server is used chown root /home/externaluser chmod g-w /home/externaluser
-create a directory in which externaluser will be able to write mkdir /home/externaluser/upload chown externaluser /home/externaluser/upload
- create a copy of /etc/init.d/sshd init script
cp /etc/init.d/sshd /etc/init.d/sftpd
- modify it to reflect the sftpd_config config file and a new pid
file
- make it start automatically
chkconfig sftpd --add sftp
Radu
Thank you for that. I did much the same as you suggest but, in the end, decided to just run the 5.3 sshd instead. I have set SELinix to enforcing on that host and sshd seems to work as expected. I cannot tell what the --with-selinux compiler switch is meant to do.