So, the most important step is the first step – upgrading OpenSSH to version 5.x. Version 4.x of OpenSSH which is included in CentOS is missing the necessary functions to “chroot” the users (i.e. set their root directory when they login) so that they can only view files that are under their virtual root directory. Once upgraded, it’s just a few lines of config changes and some basic user setup and you’re good to go. Feel free to ask in comments for help if you get stuck.
1. Upgrade to OpenSSH 5.x
## fetch the packages - 64-bit system wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-5.1p1-3.el5.hrb.x86_64.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-clients-5.1p1-3.el5.hrb.x86_64.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/x86_64/openssh-server-5.1p1-3.el5.hrb.x86_64.rpm- or -
## fetch the packages - 32-bit system wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-5.1p1-3.el5.hrb.i386.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-clients-5.1p1-3.el5.hrb.i386.rpm wget http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/i386/openssh-server-5.1p1-3.el5.hrb.i386.rpmthen…
## upgrade OpenSSH rpm -Uvh openssh-*2. Comment out the following line in ‘/etc/ssh/sshd_config’
Subsystem sftp /usr/libexec/openssh/sftp-server3. Append these lines to the end of ‘/etc/ssh/sshd_config’
Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no4. Add the ‘sftponly’ user group
groupadd sftponly5. Modify the user’s group and shell
usermod -g sftponly jsmith usermod -s /bin/false jsmith6. Set the proper filesystem permissions
(John Smiths’s home directory is /home/jsmith and his website is in /home/jsmith/public_html)
chmod 755 /home/jsmith/ chmod 755 /home/jsmith chown root:root /home/jsmith chown jsmith:sftponly /home/jsmith/public_html7. Restart the SSHD daemon
/etc/init.d/sshd restart
No comments:
Post a Comment
Hi, Leave a comment here and one of the binary piper's will reply soon :)