[CentOS] rssh / scponly
tdiehl at rogueind.com
Mon Mar 28 03:53:50 UTC 2011
On Sun, 27 Mar 2011, Nico Kadel-Garcia wrote:
> On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis <PoMec at pomec.net> wrote:
>>> Am 27.03.2011 um 22:57 schrieb John R Pierce:
>>>> On 03/27/11 1:03 PM, Rainer Duffner wrote:
>>>>> If you use sftp, it can be chroot'ed by default (see man-page).
>>>>> (In reasonably recent version of sshd)
>>>> I gather thats a sshd somewhat newer than the one included in CentOS 5
>>> I don't know.
>>> I only used it in FreeBSD - but it's included there since at least 7.2.
>>> That was released in May 2009.
>>> OpenSSH 5.1p1
>>> Looking, sshd in my latest CentOS shows v 4.6p2
>> rhel / centos contains openssh with backported chroot:
>> rpm -q --changelog openssh-server | grep chroot
>> - minimize chroot patch to be compatible with upstream (#522141)
>> - tiny change in chroot sftp capability into openssh-server solve ls
>> speed problem (#440240)
>> - add chroot sftp capability into openssh-server (#440240)
>> - enable the subprocess in chroot to send messages to system log
> Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by
> getting "Centrify" and their tools from www.centrify.com. Centrify
> also includes good tools for integration with Active Directory based
> authentication, very useful in a mixed environment where you don't
> have the political pull to get the AD administratiors in the same room
> to discuss how LDAP and Kerberos actually work and why Linux can
> cooperate with it. Being able to wave that magic "commercially
> supported" wand seems to help with those meetings, and it's actually a
> pretty good toolkit.
The above appears to be wrong wrt to chrooting sftp on C5.
http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was
backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Configures an external subsystem (e.g., file transfer daemon).
Arguments should be a subsystem name and a command (with optional
arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem.
Alternately the name internal-sftp implements an in-process sftp server.
This may simplify configurations using ChrootDirectory to force a different
filesystem root on clients.
By default no subsystems are defined. Note that this option applies to
protocol version 2 only.
http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in
setting this up.
Of course I could be wrong since I have not tried this yet but it is on my
short list for this week.
Tom Diehl tdiehl at rogueind.com Spamtrap address mtd123 at rogueind.com
More information about the CentOS