On 1.3.2011 13:53, Nico Kadel-Garcia wrote:
On Mon, Feb 28, 2011 at 10:53 AM, Eero Volotinen eero.volotinen-X3B1VOXEql0@public.gmane.org wrote:
scponly chrooted is the easiest way.
No, sftp is actually supported, somewhat, in OpenSSH 5 for this to work well, which is not in CentOS 5, and integrating it to CentOS 5 is problematic.
Since CentOS 5.4(?) it is possible to say something like
Subsystem sftp internal-sftp ChrootDirectory %h
This is due to a somewhat partial backport of the chroot feature in OpenSSH. The problem I see is that it is global, no way to restrict the chroot to a group of users, so root is chrooted too. But if chrooted sftp is really required one could configure a second daemon listening on a different IP or maybe port.
https://rhn.redhat.com/errata/RHSA-2009-1287.html
It's also awkward to maintain, the chroot cages require the relevant binaries nad libraries in each user's chroot cage. (I used to publish the software changes for this, years back under SunOS and RedHat 5.2, not RHEL 5.2).
As far as sftp is concerned in newer openssh (and this is also true for the sftp in current CentOS) there is no need any more to maintain the chroot. Just configure sshd and you are ready to go.