Packetwatch.net

OpenSSH with Chrooted SFTP in Red Hat Enterprise Linux 4



Last modified: Aug. 5, 2008

Contents
1 - Summary
2 - Dependencies
3 - OpenSSH installation
4 - Service configuration
5 - Create new group and user
6 - Service check


1 - Summary

This little guide will show how to compile and install OpenSSH 5.0 portable
from source with chrooted SFTP. This setup is going to only allow for sftp
logins and not ssh access to the shell. For this guide to work you will need
to be running Red Hat Enterprise Linux 4.


2 - Dependencies

OpenSSH 5.0 recommends having zlib 1.2.3 installed. Zlib can be downloaded
at http://www.zlib.net/. This will be downloaded, compiled and installed from
source. Zlib will be installed to /usr/local.
# cd ~
# rpm -qa | grep zlib
zlib-1.2.1.2-1.2
zlib-devel-1.2.1.2-1.2
zlib-1.2.1.2-1.2
# wget http://www.zlib.net/zlib-1.2.3.tar.gz
# tar -zxvf zlib-1.2.3.tar.gz
# cd zlib-1.2.3
# ./configure
# make
# sudo make install


3 - OpenSSH installation

OpenSSH portable can be downloaded at http://www.openssh.com/portable.html.
This will be downloaded, compiled and installed from source. OpenSSH will
be installed to /usr/local.
# cd ~
# rpm -qa | grep ssh
openssh-askpass-gnome-3.9p1-8.RHEL4.17.1
openssh-clients-3.9p1-8.RHEL4.17.1
openssh-server-3.9p1-8.RHEL4.17.1
openssh-3.9p1-8.RHEL4.17.1
openssh-askpass-3.9p1-8.RHEL4.17.1
# wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz
# tar -zxvf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# ./configure
# make
# sudo make install


4 - Service configuration

Now, we will configure the service.
# su - root
# cd /usr/local/etc
# rm -f ssh_host*
# cp sshd_config sshd_config.original

Add the following to the configuration file to all users from the external
group. They will only have access to their directory.

  AllowGroups external
  Subsystem       sftp    internal-sftp
  Match Group external
      ForceCommand internal-sftp
      ChrootDirectory /ftp/%u

# vi sshd_config
# /usr/local/bin/ssh-keygen -b 4096 -t rsa -N '' -f /usr/local/etc/ssh_host_rsa_key
# cd /etc/init.d
# cp sshd sshd.original
# chmod -x sshd.original

Modify the sshd script to point to the newly installed ssh files.

  KEYGEN=/usr/local/bin/ssh-keygen
  SSHD=/usr/local/sbin/sshd
  RSA1_KEY=/usr/local/etc/ssh_host_key
  RSA_KEY=/usr/local/etc/ssh_host_rsa_key
  DSA_KEY=/usr/local/etc/ssh_host_dsa_key
  PID_FILE=/var/run/sshd.pid

# vi sshd
# service sshd restart

Add the following at the start of the /etc/profile file. This will make it so
the newly compiled ssh utilities in /usr/local will be used instead of the
ones in /usr.

  export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

# cp /etc/profile /etc/profile.original
# vi /etc/profile


5 - Create new group and user

We will create the new group and user along with the directory permissions.
These commands will be run as the root user. The password expiration will be
disabled since the users don't have ssh access to the shell. The user will
login and their home diretory will show up as /. Also, with this setup the
user has read access to their home directory and full access to the Uploads
directory.
# groupadd external
# cd /
# mkdir /ftp
# chown -R root:root /ftp
# chmod -R 755 /ftp
# useradd -c 'Test User' -G external -M -s /sbin/nologin user
# chage -m 0 -M 99999 -I -1 -E -1 -W 7 user
# passwd user
# usermod -d / user
# mkdir -p /ftp/user/Uploads
# chown -R root:user /ftp/user
# chmod -R 755 /ftp/user
# chown -R user:user /ftp/user/Uploads
# chmod -R 777 /ftp/user/Uploads


6 - Service check

We will now test out sftp the account we just created.
# sftp test@server.test.com
Connecting to server.test.com...
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *

THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
  ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
 PUNISHABLE UNDER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS
 THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR
  KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE
 HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
                  TO MONITORING AND AUDITING.

* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
test@server.test.com's password:
sftp> ls -la
drwxr-xr-x    3 0        509          4096 May  6 00:27 .
drwxr-xr-x    3 0        509          4096 May  6 00:27 ..
drwxrwxrwx    2 506      509          4096 May  6 01:28 Uploads
sftp> cd ..
sftp> pwd
Remote working directory: /
sftp> cd Uploads
sftp> ls -la
drwxrwxrwx    2 506      509          4096 May  6 01:28 .
drwxr-xr-x    3 0        509          4096 May  6 00:27 ..
sftp> bye


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.