How-To: Replace SSH & Enable Chrooted SFTP

by on Feb.03, 2009, under Linux

1. Download latest OPENSSH
2. Unpack tar file
3. CD to openssh source directory
3. vi version.h and remove VERSION_SSH information (if desired)
example: #define SSH_VERSION “OpenSSH”
4. run ./configure –with-tcp-wrappers
5. resolve any missing dependencies
6. login via a telnet session
7. disable ssh and remove existing SSH packages
8. run “make install” from openssh source directory
9. cp opensshd.init to /etc/init.d/sshd
10. add the following chkconfig information to top of ../init.d/sshd file:
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
11. run chkconfig –add sshd

12 create sftponly group
groupadd sftponly

14. edit /usr/local/etc/sshd_config
update sftp subsystem to internal-sftp
# override default of no subsystems
#Subsystem sftp /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp

add section to bottom of file:
Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

15. create sftp “jail” directory
mkdir /sftpusers
chown root:root /sftpusers
chmod 755 /sftpusers

16. create sftponly user accounts
useradd -g sftponly -d /sftpusers/user user
mkdir -p /sftpusers/user/data
chown root:root /sftpusers/user
chmod 755 /sftpusers/user
chown user:sftponly /sftpusers/user/data
chmod 700 /sftpusers/user/data
passwd user

user will now have complete control of the data directory, read access to /sftpusers/user, and be unable to cd past the root of /sftpusers/user.

No comments for this entry yet...

Leave a Reply

You must be logged in to post a comment.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

But Wait, There's More!

A few highly recommended friends...