On Thu, February 4, 2010 05:28, Radu Radutiu wrote: > Just for the reference if you want to keep SELINUX enabled and > create a new instance of sshd (with the stock CentOS 5.4 sshd) > with sftp only you can do the following: > > -create a copy of /etc/ssh/sshd_config e.g. > cp /etc/ssh/sshd_config /etc/ssh/sftpd_config > > -chage /add the following lines in sftpd_config > Port 1234 > ChrootDirectory %h > Subsystem sftp internal-sftp > AllowUsers externaluser > > > -let SELINUX know that port 1234 (or whatever you put in your > sftpd_config) is of type ssh_port_t > > semanage port -a -t ssh_port_t -p tcp -n 1234 > > -make sure that the sftp user's home directory respects the > requirements of ChrootDirectory sshd_config directive : This path, > and all its components, must be root-owned directories that are not > writable by any other user or group. For file transfer sessions > using > “sftpâ€, no additional configuration of the environment is > necessary if > the in-process sftp server is used > chown root /home/externaluser > chmod g-w /home/externaluser > > -create a directory in which externaluser will be able to write > mkdir /home/externaluser/upload > chown externaluser /home/externaluser/upload > > - create a copy of /etc/init.d/sshd init script > cp /etc/init.d/sshd /etc/init.d/sftpd > - modify it to reflect the sftpd_config config file and a new pid > file > - make it start automatically > chkconfig sftpd --add sftp > > Radu > > Thank you for that. I did much the same as you suggest but, in the end, decided to just run the 5.3 sshd instead. I have set SELinix to enforcing on that host and sshd seems to work as expected. I cannot tell what the --with-selinux compiler switch is meant to do. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3