Running an sftp-only daemon on RHEL5
Posted 01-08-2011 at 03:05 PM by anomie
The problem:
----------------------------------------------------------------------
Some thoughts and a solution:
You can wait for RHEL6. It's not too far off.
or..
You can live with the idea of not chrooting certain users in their sftp sessions.
or..
You can run a second OpenSSH daemon, on a different port, and chroot everyone who connects to it. Here's one way to do that.
Create the sftp init script
Let's call it /etc/init.d/sftpod. Just because. Make sure it is root owned, with octal mode 0755. Its contents follow.
Create the sftp config file
Let's use the naming referred to in the init script, /etc/ssh/sftpod_config. Contents:
Putting it together
Basics to knock out -
Important security considerations -
----------------------------------------------------------------------
References:
[1] ftp://ftp.ca.openbsd.org/pub/OpenBSD...able/ChangeLog
[2] Per my own server -
- You're a RHEL5 sysadmin.
- You want to run your regular ol' ssh daemon.
- You also want to chroot a few sftp users.
- You need the OpenSSH Match directive with support for the ChrootDirectory directive! This functionality exists as of OpenSSH version 5.1. [1]
- Alas, your RHEL5 server still runs OpenSSH version 4.3p2. [2]
----------------------------------------------------------------------
Some thoughts and a solution:
You can wait for RHEL6. It's not too far off.
or..
You can live with the idea of not chrooting certain users in their sftp sessions.
or..
You can run a second OpenSSH daemon, on a different port, and chroot everyone who connects to it. Here's one way to do that.
Create the sftp init script
Let's call it /etc/init.d/sftpod. Just because. Make sure it is root owned, with octal mode 0755. Its contents follow.
Code:
#!/bin/bash # # chkconfig: 35 60 25 # description: OpenSSH chrooted sftp only daemon # # Note that /usr/sbin/sftpod is simply a symlink to /usr/sbin/sshd; # You are going to need to CREATE that symlink before using this script. # pidfile='/var/run/sftpod.pid' case "${1}" in start ) exec -a /usr/sbin/sftpod /usr/sbin/sshd -f /etc/ssh/sftpod_config ;; stop ) kill -9 $(cat ${pidfile}) ;; restart) ${0} stop sleep 3 ${0} start ;; * ) echo "Usage: ${0} (start|stop|restart)" ;; esac exit 0
Let's use the naming referred to in the init script, /etc/ssh/sftpod_config. Contents:
Code:
Port 9022 Protocol 2 AddressFamily inet SyslogFacility AUTHPRIV LogLevel INFO PermitRootLogin no RSAAuthentication no PubkeyAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM no PidFile /var/run/sftpod.pid ChrootDirectory /home/chrooted Subsystem sftp internal-sftp
Basics to knock out -
- Create the /home/chrooted directory. It's got to be root-owned. Read the manpages for sshd_config(5) for more info.
- Create the subdirectories for each user, with proper ownership and permissions. You can figure it out. (Beyond the scope of this blog entry.)
- Create the symlink noted in the init script.
- Add your init script to the consciousness of chkconfig(8). Read its manpages if you don't know how.
- Start your daemon.
Important security considerations -
- I highly recommend giving your sftp-only users an /sbin/nologin shell.
- I highly recommend adding an AllowUsers or AllowGroups directive to your main ssh daemon configuration, so that your sftp users aren't able to connect to that daemon.
----------------------------------------------------------------------
References:
[1] ftp://ftp.ca.openbsd.org/pub/OpenBSD...able/ChangeLog
[2] Per my own server -
Code:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.5 (Tikanga) ... $ /usr/sbin/sshd -?bogus-tell-me-version sshd: illegal option -- ? OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Total Comments 0