Chroot SSH on CentOS 5

Kenichi Kato · 05-20-2010, 05:02 AM

Hello,

I'm trying to jail a group of users (under sftp) to their home when they SSH/SFTP over to the server. I read somewhere I should add the following into the /etc/ssh/sshd_config but even after adding the first line, SSH couldn't start & error said bad configuration:

Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Can anyone help me? Appreciate it!!

anomie · 05-21-2010, 11:52 AM

IIRC, CentOS 5 - which is of course based on RHEL5 - provides OpenSSH 4.3 in its standard repositories.

The features you are trying to use are not available until a later minor version of the OpenSSH 4.x branch (4.8, I think).

alli_yas · 05-21-2010, 04:32 PM

Hi

anomie is correct - openssh as in RHEL 5 / CentOS 5 will not support it.

Depending on your application; in terms of what your users will be ftp'ing (and whether over the internet or not) you may want to consider "normal" FTP (vsftpd/proFTPd) - I have set up chroot jails in RHEL 5 with vsftpd; for users on my internal network (which is secured from threats via firewalls etc).

Kenichi Kato · 05-22-2010, 07:25 AM

Thank you anomie & alli yas. Didn't know that about RHEL5

Great, that gives me another idea. I'll split into 2 hosts. Host 1 allows read/write by internal users (behind firewall) & another purely for downloading data (encrypted) over the internet. I'll cron those data in specified folder meant for access by members outside office.

alli_yas · 05-22-2010, 04:41 PM

Hi Kenichi

Quote:

Host 1 allows read/write by internal users (behind firewall) & another purely for downloading data (encrypted) over the internet. I'll cron those data in specified folder meant for access by members outside office.

Hope that you mean separate machines though - if you're talking 2 VM's on the same machine I don't think that is a good idea security wise