On 28.3.2011 05:53, Tom Diehl wrote: > According to > https://bugzilla.redhat.com/show_bug.cgi?id=440240 and > http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was > backported into rhel/centos 5 back in 2009-09-02. > > In addition sshd_config(5) says the following: > > Subsystem > Configures an external subsystem (e.g., file transfer daemon). > Arguments should be a subsystem name and a command (with optional > arguments) to execute upon subsystem request. > > The command sftp-server(8) implements the sftp file transfer subsystem. > Alternately the name internal-sftp implements an in-process sftp server. > This may simplify configurations using ChrootDirectory to force a different > filesystem root on clients. > > By default no subsystems are defined. Note that this option applies to > protocol version 2 only. > > http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in > setting this up. Yes, it is possible to chroot with stock openssh in recent CentOS ! 1. Unfortunately the Match directive is not backported, so the only possibility is to chroot all users including root. 2. The chroot is not restricted to sftp. ssh is chrooted also. 3. All users are chrooted including root I am aware of 2 possible methods to workaround this limitations: Configure 2 ssh daemons, one chrooted for sftp and one default. The chrooted sshd has to listen on another ip or port. Or, alternatively (only one sshd needed) ChrootDirectory %h and change home for root to / (sounds nasty and it is ;-) However you do it, the directory given to ChrootDirectory has to be read-only for normal users. If it were writable the user could manipulate the content of the chroot. Write access has to be restricted to a subdirectory of ChrootDirectory. ------------------------------------------------------------------- Markus, Thanks for taking the time to respond. I was hoping I could chroot for just one user without running two sshd's; Being able to restrict one user sure is needed. Do you know if Centos 5.6 or 6.0 will allow this? I have not been able to get rssh or scponlyc to work yet, but have not stopped trying. Greg