[CentOS] rssh / scponly

Gregory P. Ennis PoMec at PoMec.Net
Wed Mar 30 02:15:18 UTC 2011


On 28.3.2011 05:53, Tom Diehl wrote:

> According to
> https://bugzilla.redhat.com/show_bug.cgi?id=440240 and
> http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was
> backported into rhel/centos 5 back in 2009-09-02.
> 
> In addition sshd_config(5) says the following:
> 
> Subsystem
>      Configures an external subsystem (e.g., file transfer daemon).
>      Arguments should be a subsystem name and a command (with optional
>      arguments) to execute upon subsystem request.
> 
>      The command sftp-server(8) implements the sftp file transfer subsystem.
>      Alternately the name internal-sftp implements an in-process sftp server.
>      This may simplify configurations using ChrootDirectory to force a different
>      filesystem root on clients.
> 
>      By default no subsystems are defined. Note that this option applies to
>      protocol version 2 only.
> 
> http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in
> setting this up.

Yes, it is possible to chroot with stock openssh in recent CentOS !

1. Unfortunately the Match directive is not backported, so the only
possibility is to chroot all users including root.
2. The chroot is not restricted to sftp. ssh is chrooted also.
3. All users are chrooted including root

I am aware of 2 possible methods to workaround this limitations:

Configure 2 ssh daemons, one chrooted for sftp and one default. The
chrooted sshd has to listen on another ip or port.

Or, alternatively (only one sshd needed)
ChrootDirectory %h
and change home for root to / (sounds nasty and it is ;-)

However you do it, the directory given to ChrootDirectory has to be
read-only for normal users. If it were writable the user could
manipulate the content of the chroot. Write access has to be restricted
to a subdirectory of ChrootDirectory.

-------------------------------------------------------------------

Markus,

Thanks for taking the time to respond.  I was hoping I could chroot for
just one user without running two sshd's; Being able to restrict one
user sure is needed.  Do you know if Centos 5.6 or 6.0 will allow this?

I have not been able to get rssh or scponlyc to work yet, but have not
stopped trying.  

Greg




More information about the CentOS mailing list