Last modified: Aug. 5, 2008
Contents
1 - Summary
2 - Dependencies
3 - OpenSSH installation
4 - Service configuration
5 - Create new group and user
6 - Service check
1 - Summary
This little guide will show how to compile and install OpenSSH 5.0 portable
from source with chrooted SFTP. This setup is going to only allow for sftp
logins and not ssh access to the shell. For this guide to work you will need
to be running Red Hat Enterprise Linux 4.
2 - Dependencies
OpenSSH 5.0 recommends having zlib 1.2.3 installed. Zlib can be downloaded
at http://www.zlib.net/. This will be downloaded, compiled and installed from
source. Zlib will be installed to /usr/local.
# cd ~
# rpm -qa | grep zlib
zlib-1.2.1.2-1.2
zlib-devel-1.2.1.2-1.2
zlib-1.2.1.2-1.2
# wget http://www.zlib.net/zlib-1.2.3.tar.gz
# tar -zxvf zlib-1.2.3.tar.gz
# cd zlib-1.2.3
# ./configure
# make
# sudo make install
3 - OpenSSH installation
OpenSSH portable can be downloaded at http://www.openssh.com/portable.html.
This will be downloaded, compiled and installed from source. OpenSSH will
be installed to /usr/local.
# cd ~
# rpm -qa | grep ssh
openssh-askpass-gnome-3.9p1-8.RHEL4.17.1
openssh-clients-3.9p1-8.RHEL4.17.1
openssh-server-3.9p1-8.RHEL4.17.1
openssh-3.9p1-8.RHEL4.17.1
openssh-askpass-3.9p1-8.RHEL4.17.1
# wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.0p1.tar.gz
# tar -zxvf openssh-5.0p1.tar.gz
# cd openssh-5.0p1
# ./configure
# make
# sudo make install
4 - Service configuration
Now, we will configure the service.
# su - root
# cd /usr/local/etc
# rm -f ssh_host*
# cp sshd_config sshd_config.original
Add the following to the configuration file to all users from the external
group. They will only have access to their directory.
AllowGroups external
Subsystem sftp internal-sftp
Match Group external
ForceCommand internal-sftp
ChrootDirectory /ftp/%u
# vi sshd_config
# /usr/local/bin/ssh-keygen -b 4096 -t rsa -N '' -f /usr/local/etc/ssh_host_rsa_key
# cd /etc/init.d
# cp sshd sshd.original
# chmod -x sshd.original
Modify the sshd script to point to the newly installed ssh files.
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh_host_key
RSA_KEY=/usr/local/etc/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
# vi sshd
# service sshd restart
Add the following at the start of the /etc/profile file. This will make it so
the newly compiled ssh utilities in /usr/local will be used instead of the
ones in /usr.
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
# cp /etc/profile /etc/profile.original
# vi /etc/profile
5 - Create new group and user
We will create the new group and user along with the directory permissions.
These commands will be run as the root user. The password expiration will be
disabled since the users don't have ssh access to the shell. The user will
login and their home diretory will show up as /. Also, with this setup the
user has read access to their home directory and full access to the Uploads
directory.
# groupadd external
# cd /
# mkdir /ftp
# chown -R root:root /ftp
# chmod -R 755 /ftp
# useradd -c 'Test User' -G external -M -s /sbin/nologin user
# chage -m 0 -M 99999 -I -1 -E -1 -W 7 user
# passwd user
# usermod -d / user
# mkdir -p /ftp/user/Uploads
# chown -R root:user /ftp/user
# chmod -R 755 /ftp/user
# chown -R user:user /ftp/user/Uploads
# chmod -R 777 /ftp/user/Uploads
6 - Service check
We will now test out sftp the account we just created.
# sftp test@server.test.com
Connecting to server.test.com...
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS
THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR
KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE
HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
test@server.test.com's password:
sftp> ls -la
drwxr-xr-x 3 0 509 4096 May 6 00:27 .
drwxr-xr-x 3 0 509 4096 May 6 00:27 ..
drwxrwxrwx 2 506 509 4096 May 6 01:28 Uploads
sftp> cd ..
sftp> pwd
Remote working directory: /
sftp> cd Uploads
sftp> ls -la
drwxrwxrwx 2 506 509 4096 May 6 01:28 .
drwxr-xr-x 3 0 509 4096 May 6 00:27 ..
sftp> bye
|