User Tools

Site Tools


Sidebar


guides:unix_admin:setting_up_chroot_and_sftp

Centos 5 - Setting up chroot and sftp

Easy way is to use proftpd, since RHEL/Centos 5's openssh version is old and doesnt do chroot nicely.

Easy way : Chroot sftp using ProFTPd

Reference: http://blog.dastrup.com/?p=156

Get latest proftpd from http://www.proftpd.org/ and compile it.

NOTE: Make sure you do the md5 checksum since the proftpd site has been compromised before.

cd /usr/local/src

# install dependencies
yum install openssl-devel

wget ftp://ftp.servus.at/ProFTPD/distrib/source/proftpd-1.3.4rc1.tar.bz2
wget ftp://ftp.servus.at/ProFTPD/distrib/source/proftpd-1.3.4rc1.tar.bz2.md5

# md5sum check
more proftpd-1.3.4rc1.tar.bz2.md5
md5sum proftpd-1.3.4rc1.tar.bz2

# unpack
bunzip2 proftpd-1.3.4rc1.tar.bz2
tar xf proftpd-1.3.4rc1.tar

cd proftpd-1.3.4rc1

./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_sftp
make
make install

Create config file

echo '#/etc/proftpd.conf
ServerName                      "My SFTP Server"
ServerType                      standalone
DefaultServer                   on
IdentLookups                    off
Port                            22
UseIPv6                         off
Umask                           022
MaxInstances                    30
User                            nobody
Group                           nobody
DefaultRoot ~
AllowOverwrite          on
<Limit SITE_CHMOD>
  # AllowAll or DenyAll
  AllowAll
</Limit>


#SFTP Support
SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4
SFTPOptions IgnoreSFTPUploadPerms

' > /etc/proftpd.conf

Create init script

echo '#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd        This shell script takes care of starting and stopping
#                proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
        echo -n $"Starting $prog: "
        daemon proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
        echo -n $"Shutting down $prog: "
        killproc proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status proftpd
        RETVAL=$?
        ;;
  restart)
        stop
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/proftpd ]; then
          stop
          start
        fi
        ;;
  reload)
        echo -n $"Re-reading $prog configuration: "
        killproc proftpd -HUP
        RETVAL=$?
        echo
        ;;
  *)
        echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
        exit 1
esac

exit $RETVAL' > /etc/init.d/proftpd

chmod +x /etc/init.d/proftpd

Complicated way : Chroot sftp using rssh and ssh

rssh and ssh are required for a chroot sftp account

1. install rssh

yum install -y rssh

2. Custom Scripts - to create chroot directory and chroot users

chroot.sh

#!/bin/sh
#
# mkchroot.sh
#
CHROOT=$1
USERNAME=$2

echo "chroot directory:" $CHROOT

if [ $CHROOT == "" ]; then
  echo " chroot directory required for script to work! "
  echo " Usage : "
  echo "   ./chroot.sh <chroot directory>"
  echo ""
  exit 1
fi

if [ -e $CHROOT ]; then
  echo " Error: $CHROOT already exists!"
  exit 1
fi

mkdir -p $CHROOT/{dev,etc,home,lib,lib64,usr}
mkdir -p $CHROOT/{usr/bin,usr/lib64,usr/sbin,usr/libexec/openssh}

for BIN in /usr/bin/rssh /usr/bin/scp /usr/bin/sftp /usr/libexec/rssh_chroot_helper /usr/libexec/openssh/sftp-server;
do
  cp $BIN $CHROOT$BIN
  for LIB in `ldd $BIN | awk '{print $3}'`;
    do
      if [ -f $LIB ]; then
        cp $LIB $CHROOT/$LIB
      fi
    done
done

cp /etc/ld.so.cache $CHROOT/etc/
cp /etc/ld.so.conf  $CHROOT/etc/

cp /lib/ld-linux.so.2 $CHROOT/lib/
cp /lib/libcrypt.so.1 $CHROOT/lib/
cp /lib/libnss_compat.so.2 $CHROOT/lib/

cp /lib64/ld-linux-x86-64.so.2 $CHROOT/lib64/
cp /lib64/libnss_compat.so.2   $CHROOT/lib64/

mknod -m 0666 $CHROOT/dev/null c 1 3

script to add chroot users

add_chroot_user.sh

#!/bin/sh
#
# add_chroot_user.sh
#

CHROOT=$1
USERNAME=$2

echo "chroot directory:" $CHROOT

if [ $CHROOT == "" ]; then
  echo " Usage : "
  echo "   ./add_chroot_user.sh <chroot directory> <username>"
  echo ""
  exit 1
fi

if [ $USERNAME != "" ]; then
  # configure passwd files
  /usr/sbin/useradd -d $CHROOT/home/$USERNAME -s /usr/bin/rssh $USERNAME

  echo '
user="'$USERNAME':011:00010:'$CHROOT'" # Allow SFTP with chroot' >> /etc/rssh.conf

  echo "Please set $USERNAME's password:"
  passwd $USERNAME

  cp /etc/passwd $CHROOT/etc
  echo ""
  echo "  PLEASE edit $CHROOT/etc/passwd"
  echo "   1) remove all users that are not required"
  echo "   2) remove $CHROOT from ANY chroot user home directory paths"
  echo "        i.e. $USERNAME's home directory should be /home/$USERNAME"
  echo ""

fi

3. Run the chroot.sh script to create the chroot directory

./chroot.sh /data/chroot

4. Run the add_chroot_user.sh to create a chroot user

./add_chroot_user.sh /data/chroot [username]

5. Edit the chroot password file and: 1) remove unrequired users and 2) fix the home directories of any chroot user to not include the chroot path

6. Update syslog to create a log device for chroot

vi /etc/init.d/syslog
-- SYSLOGD_OPTIONS="-m 0"
++ SYSLOGD_OPTIONS="-m 0 -a /data8/chroot/dev/log"
service syslog restart

7. The config files that need to be checked are the following:

/etc/ssh/sshd_config - make following line is uncommented

Subsystem       sftp    /usr/libexec/openssh/sftp-server

/etc/rssh.conf - configs per user should have been added by the add_chroot_user.sh script

guides/unix_admin/setting_up_chroot_and_sftp.txt · Last modified: 2011/04/18 13:48 by michaelc