Home / server / Questions / 121049
In Process
benjisail
Asked: 2010-03-11 01:28:55 +0800 CST

What is the easiest and cleanest way to create a chrooted SFTP on Centos 5.4?

  • 772

I would like to setup a SFTP with chroot (or equivalent) login to my Centos 5.4 server in a clean way. By clean way I mean by using only the YUM command if possible and with something easy to maintain and easy to extend (for example an easy way to add an extra SFTP user).

The problem with CentOS 5.4 is that OpenSSH is at version 4.3 in the repository so it is not possible to use the built in chroot capabilities of OpenSSH 4.8+.

Installing RSSH required to create manually a chrooted directory which don't seems easy to maintain to me.

MySecureShell is an other solution but it require an higher version of openSSL than the one which is in the repository.

I know that I could install manually an higher version of OpenSSH but I would lose all the advantage of the Yum command and it could become tricky to maintain if I want to do some updates in the futur...

Do you have an easy and clean way to setup a chrooted SFTP login on a centOS 5.4 server?

Thanks!

centos ssh sftp chroot

1 Answers

  1. I've found the following solution:

    # yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz
# wget http://ftp.bit.nl/mirror/openssh/openssh-5.2p1.tar.gz.asc
# wget  -O- http://ftp.bit.nl/mirror/openssh/DJM-GPG-KEY.asc | gpg –-import
# gpg openssh-5.2p1.tar.gz.asc
gpg: Signature made Mon 23 Feb 2009 01:18:28 AM CET using DSA key ID 86FF9C48
gpg: Good signature from “Damien Miller (Personal Key) ”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48
# tar zxvf openssh-5.2p1.tar.gz
# cp openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ > openssh.spec
# (I found this didn't work and I had to manually disable the two lines for gnome and x11 askpass by changing the 0 to 1)
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l
-rw-r–r– 1 root root 275808 Feb 27 08:08 openssh-5.2p1-1.x86_64.rpm
-rw-r–r– 1 root root 439875 Feb 27 08:08
openssh-clients-5.2p1-1.x86_64.rpm
-rw-r–r– 1 root root 277714 Feb 27 08:08
openssh-server-5.2p1-1.x86_64.rpm
# rpm -Uvh openssh*rpm
Preparing… ########################################### [100%]
1:openssh ########################################### [ 33%]
2:openssh-clients ########################################### [ 67%]
3:openssh-server ########################################### [100%]
# service sshd restart
    • -1