[CentOS] rssh / scponly

Tom Diehl tdiehl at rogueind.com
Mon Mar 28 03:53:50 UTC 2011

On Sun, 27 Mar 2011, Nico Kadel-Garcia wrote:

> On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis <PoMec at pomec.net> wrote:
>>> Am 27.03.2011 um 22:57 schrieb John R Pierce:
>>>> On 03/27/11 1:03 PM, Rainer Duffner wrote:
>>>>> If you use sftp, it can be chroot'ed by default (see man-page).
>>>>> (In reasonably recent version of sshd)
>>>> I gather thats a sshd somewhat newer than the one included in CentOS 5
>>>> ?
>>> I don't know.
>>> ;-)
>>> I only used it in FreeBSD - but it's included there since at least 7.2.
>>> That was released in May 2009.
>>> OpenSSH 5.1p1
>>> Looking, sshd in my latest CentOS shows v 4.6p2
>> rhel / centos contains openssh with backported chroot:
>> rpm -q --changelog openssh-server | grep chroot
>> - minimize chroot patch to be compatible with upstream (#522141)
>> - tiny change in chroot sftp capability into openssh-server solve ls
>> speed problem (#440240)
>> - add chroot sftp capability into openssh-server (#440240)
>> - enable the subprocess in chroot to send messages to system log
> Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by
> getting "Centrify" and their tools from www.centrify.com. Centrify
> also includes good tools for integration with Active Directory based
> authentication, very useful in a mixed environment where you don't
> have the political pull to get the AD administratiors in the same room
> to discuss how LDAP and Kerberos actually work and why Linux can
> cooperate with it. Being able to wave that magic "commercially
> supported" wand seems to help with those meetings, and it's actually a
> pretty good toolkit.

The above appears to be wrong wrt to chrooting sftp on C5.

According to
https://bugzilla.redhat.com/show_bug.cgi?id=440240 and
http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was
backported into rhel/centos 5 back in 2009-09-02.

In addition sshd_config(5) says the following:

     Configures an external subsystem (e.g., file transfer daemon).
     Arguments should be a subsystem name and a command (with optional
     arguments) to execute upon subsystem request.

     The command sftp-server(8) implements the sftp file transfer subsystem.
     Alternately the name internal-sftp implements an in-process sftp server.
     This may simplify configurations using ChrootDirectory to force a different
     filesystem root on clients.

     By default no subsystems are defined. Note that this option applies to
     protocol version 2 only.

http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in
setting this up.

Of course I could be wrong since I have not tried this yet but it is on my
short list for this week.


Tom Diehl       tdiehl at rogueind.com      Spamtrap address mtd123 at rogueind.com

More information about the CentOS mailing list