Tuesday, August 10, 2010
Initial install of OpenSSH 5.x on CentOS 5.4 with jailed sftp root enabled
Install CentOS with only Base group (keep it minimal)
Install some RPM packages required to get and build OpenSSH
Download newest 5.x OpenSSH from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/. Example
Replace subsystem lines with
Restart ssh and make sure it you see 5.x for the version
This guide was based on the one at on http://adamsworld.name/chrootjailv5.php
Most modifications were to fit my auto-install for xen virtual host and other little bits like that. Plus I'd rather use built in packages like zlib-dev where possible. Hopefully next CentOS release the openssl lib build will not be needed either (mabye even OpenSSH).
Install some RPM packages required to get and build OpenSSH
yum install -y gcc wget zlib-devel perl make xauthGet newest source from openssl.org. Example
pushd /tmpBuild it
wget http://openssl.org/source/openssl-0.9.8o.tar.gz
tar zxvf openssl-*
cd openssl-*
./config --prefix=/opt/depot/`basename $(pwd)` --openssldir=/opt/depot/`basename $(pwd)`
make
make install
pushd /opt/depot
ln -s openssl* openssl
popd
Download newest 5.x OpenSSH from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/. Example
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.5p1.tar.gzBuild it
tar zxvf openssh*Update /etc/init.d/sshd to point to the correct paths
cd openssh-*
./configure --prefix=/opt/depot/`basename $(pwd)` --with-ssl-dir=/opt/depot/openssl
make
make install
mkdir -p /opt/depot/openssh/var/run
pushd /opt/depot
ln -s openssh* openssh
KEYGEN=/opt/depot/openssh/bin/ssh-keygen
SSHD=/opt/depot/openssh/sbin/sshd
RSA1_KEY=/opt/depot/openssh/etc/ssh_host_key
RSA_KEY=/opt/depot/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/depot/openssh/etc/ssh_host_dsa_key
PID_FILE=/opt/depot/openssh/var/run/sshd.pid
Replace subsystem lines with
Subsystem sftp internal-sftpAdd the following group config lines
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Restart ssh and make sure it you see 5.x for the version
service sshd restartCreate system group info
groupadd sftponlyCreate some sftp only users
chown root:root /srv
chmod 755 /srv
useradd -g sftponly -d /srv/user1 -s /bin/false user1
This guide was based on the one at on http://adamsworld.name/chrootjailv5.php
Most modifications were to fit my auto-install for xen virtual host and other little bits like that. Plus I'd rather use built in packages like zlib-dev where possible. Hopefully next CentOS release the openssl lib build will not be needed either (mabye even OpenSSH).
