Review your favorite Linux distribution.
Go Back > Blogs > anomie
User Name


Rate this Entry

Running an sftp-only daemon on RHEL5

Posted 01-08-2011 at 03:05 PM by anomie

The problem:
  • You're a RHEL5 sysadmin.
  • You want to run your regular ol' ssh daemon.
  • You also want to chroot a few sftp users.
  • You need the OpenSSH Match directive with support for the ChrootDirectory directive! This functionality exists as of OpenSSH version 5.1. [1]
  • Alas, your RHEL5 server still runs OpenSSH version 4.3p2. [2]


Some thoughts and a solution:

You can wait for RHEL6. It's not too far off.


You can live with the idea of not chrooting certain users in their sftp sessions.


You can run a second OpenSSH daemon, on a different port, and chroot everyone who connects to it. Here's one way to do that.

Create the sftp init script

Let's call it /etc/init.d/sftpod. Just because. Make sure it is root owned, with octal mode 0755. Its contents follow.

# chkconfig: 35 60 25
# description: OpenSSH chrooted sftp only daemon
# Note that /usr/sbin/sftpod is simply a symlink to /usr/sbin/sshd;
# You are going to need to CREATE that symlink before using this script.


case "${1}" in

start  ) exec -a /usr/sbin/sftpod /usr/sbin/sshd -f /etc/ssh/sftpod_config
stop   ) kill -9 $(cat ${pidfile})
restart) ${0} stop
         sleep 3
         ${0} start
*      ) echo "Usage: ${0} (start|stop|restart)"


exit 0
Create the sftp config file

Let's use the naming referred to in the init script, /etc/ssh/sftpod_config. Contents:

Port 9022
Protocol 2
AddressFamily inet

SyslogFacility AUTHPRIV
LogLevel INFO

PermitRootLogin no

RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

UsePAM no

PidFile /var/run/

ChrootDirectory /home/chrooted
Subsystem sftp internal-sftp
Putting it together

Basics to knock out -
  1. Create the /home/chrooted directory. It's got to be root-owned. Read the manpages for sshd_config(5) for more info.
  2. Create the subdirectories for each user, with proper ownership and permissions. You can figure it out. (Beyond the scope of this blog entry.)
  3. Create the symlink noted in the init script.
  4. Add your init script to the consciousness of chkconfig(8). Read its manpages if you don't know how.
  5. Start your daemon.

Important security considerations -
  • I highly recommend giving your sftp-only users an /sbin/nologin shell.
  • I highly recommend adding an AllowUsers or AllowGroups directive to your main ssh daemon configuration, so that your sftp users aren't able to connect to that daemon.




[2] Per my own server -
$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
$ /usr/sbin/sshd -?bogus-tell-me-version
sshd: illegal option -- ?
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Posted in Uncategorized
Views 12207 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 06:10 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration