[CentOS] rssh / scponly

Mon Mar 28 03:53:50 UTC 2011
Tom Diehl <tdiehl at rogueind.com>

On Sun, 27 Mar 2011, Nico Kadel-Garcia wrote:

> On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis <PoMec at pomec.net> wrote:
>>> Am 27.03.2011 um 22:57 schrieb John R Pierce:
>>>
>>>> On 03/27/11 1:03 PM, Rainer Duffner wrote:
>>>>> If you use sftp, it can be chroot'ed by default (see man-page).
>>>>> (In reasonably recent version of sshd)
>>>>
>>>> I gather thats a sshd somewhat newer than the one included in CentOS 5
>>>> ?
>>>
>>>
>>> I don't know.
>>> ;-)
>>> I only used it in FreeBSD - but it's included there since at least 7.2.
>>> That was released in May 2009.
>>> OpenSSH 5.1p1
>>>
>>> Looking, sshd in my latest CentOS shows v 4.6p2
>>
>> rhel / centos contains openssh with backported chroot:
>>
>> rpm -q --changelog openssh-server | grep chroot
>> - minimize chroot patch to be compatible with upstream (#522141)
>> - tiny change in chroot sftp capability into openssh-server solve ls
>> speed problem (#440240)
>> - add chroot sftp capability into openssh-server (#440240)
>> - enable the subprocess in chroot to send messages to system log
>
> Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by
> getting "Centrify" and their tools from www.centrify.com. Centrify
> also includes good tools for integration with Active Directory based
> authentication, very useful in a mixed environment where you don't
> have the political pull to get the AD administratiors in the same room
> to discuss how LDAP and Kerberos actually work and why Linux can
> cooperate with it. Being able to wave that magic "commercially
> supported" wand seems to help with those meetings, and it's actually a
> pretty good toolkit.

The above appears to be wrong wrt to chrooting sftp on C5.

According to
https://bugzilla.redhat.com/show_bug.cgi?id=440240 and
http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was
backported into rhel/centos 5 back in 2009-09-02.

In addition sshd_config(5) says the following:

Subsystem
     Configures an external subsystem (e.g., file transfer daemon).
     Arguments should be a subsystem name and a command (with optional
     arguments) to execute upon subsystem request.

     The command sftp-server(8) implements the sftp file transfer subsystem.
     Alternately the name internal-sftp implements an in-process sftp server.
     This may simplify configurations using ChrootDirectory to force a different
     filesystem root on clients.

     By default no subsystems are defined. Note that this option applies to
     protocol version 2 only.

http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in
setting this up.

Of course I could be wrong since I have not tried this yet but it is on my
short list for this week.

Regards,

-- 
Tom Diehl       tdiehl at rogueind.com      Spamtrap address mtd123 at rogueind.com