According to release notes, RHEL 5.4 included an update to setup chrooted SFTP accounts natively. But from what I am seeing, it is all or nothing--This means that even root is chrooted if you go this route.
Has anybody used this successfully? How did you configure it so that you could still do sysadmin tasks, if root is chrooted?
Thanks-
Josh
-
I just built the tarballs from openssh.org for our RHEL5 boxes. Current OpenSSH has this chroot functionality built in and it's pretty easy to set up.
I think the RPM's from openssh.org even have a template spec file, so rebuilding an RPM is easy as pie too.
Josh Brower : Can you describe how you are going to set it up?Josh Brower : Just to be more clear, can you describe how you are going to setup sftp and chrooting for your users.wzzrd : I'm enjoying a nice vacation atm, so I can't check, but it's in the lines of what is described here: http://www.debian-administration.org/articles/590. (I cannot do syntaxy stuff in a comment, so I Googled you a solution that works similar to mine).From wzzrd -
This article describes how to build an RPM for CentOS 5 of a recent version of OpenSSH.
Josh Brower : I am looking more for the configuration of the chroot + sftp setup than how to install openssh.joschi : OpenSSH 4.9 and higher comes with builtin chroot-capability for `sftp-server` (and `internal-sftp`) which can be setup on a per-user basis. Since CentOS 5.4 comes with OpenSSH 4.3 you'd have to upgrade your OpenSSH installation if you do not want to use the patched chrooted SSH server which comes with your Linux distribution.joschi : And BTW: you asked how to setup a recent version of OpenSSH in your comment to wzzrd's answer.From joschi -
[root@ptiama01 ~]# service sshd status openssh-daemon (pid 3463) is running... [root@ptiama01 ~]#
check for sshd daemon it on or not for you run level
[root@ptiama01 ~]# chkconfig sshd --list sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@ptiama01 ~]#
Josh Brower : Um, I'm not sure what this has to do with what I asked?Rajat : If above service daemon is on then you'll able to sftp that what i said!!!Josh Brower : That wasnt what I was trying to ask for--I have edited my question for more clarity.Rajat : Josh i had smiler issues at my end i had install ssh rpm but service was shut for security. When restarted them i was able to sftp.From Rajat -
One possibility is to set the root user home directory (or whoever the admin users are) to "/". I don't know what the downsides to this approach are, but it seems to work.
In my case, I'm considering setting
sshd_config:
#chroot to home directory. Root gets /. Users get /var/www. ChrootDirectory %h Subsystem sftp internal-sftppasswd:
root:x:0:0:root:/:/bin/bash joe:x:500:500::/var/www:/bin/bashThen, 'joe' will have a subfolderfolder in /var/www that he has access to.
joschi : Your solution requires OpenSSH 4.9 or higher which isn't available on RHEL 5.4 as an official package. There are also several other answers here pointing in that direction.elijahbuck : That's not correct. Red Hat partially backported the feature. See http://rhn.redhat.com/errata/RHSA-2009-1287.htmlFrom elijahbuck
0 comments:
Post a Comment