Problem:
I had a need to have users SFTP into my current FTP server. I needed them to be chrooted in their own home directory. I needed them to not have any shell access.

Resources:
The site that helped me the most was ttp://freshmeat.net/articles/view/1576/ I searched over and over and googled myself to death over this one. I found a lot of info that all went in different directions. This is the one that I found worked the best.
RSSH
http://freshmeat.net/projects/rssh/
OPENSSH
http://freshmeat.net/projects/openssh/

Issues:
1. SFTP was the way to go. Fully encrypted with no username/passwords in clear text as with standard FTP.
2. I didn’t want the users to have access to an ssh shell.
3. With this setup the way I have it you have to edit your rssh.conf each time you add a user to add their chroot.

Solution:
1. Install OpenSSH
2. Edit /etc/ssh/sshd_config
# Authentication:
LoginGraceTime 1m # only need 1 minute to allow login time
PermitRootLogin no # do not allow root login
#StrictModes yes # default is yes – this should stay
MaxAuthTries 3 # set max tries to 3 (default is 6)
3. Start ssh by running ‘rcsshd start’
4. Run ‘chkconfig –add sshd’ to ensure ssh starts on boot.
5. Test the sftp connection by logging in as a user of the system. If you do not have a user created on the system other than root, create one now.
$ sftp joeblow@localhost
RSA keyfingerprint is ***********************.
Are you sure you want to continue connecting (yes/no)?
After you have said “yes” to the above, your sftp connection will be established, and you will have the following prompt waiting:
sftp>
6. Install RSSH
7. After installation, you need to add rssh to the list of allowed shells.
$ echo /usr/bin/rssh >> /etc/shells
8. Edit the /etc/rssh.conf file to allow chrooting and sftp:
logfacility = LOG_USER
allowsftp
umask = 022
chrootpath=”/home”
9. You may, as I needed to, set the chroot for each user.
user=ftpcba:111:00010:/home/ftpusers/ftpcba
Format is user=”username”:”umask”:”service”:”chroot dir”
10. Build a chroot for the home of your chroot.
./lib/i686
./lib/i686/libpthread.so.0
./lib/i686/libc.so.6
./lib/libresolv.so.2
./lib/libz.so.1
./lib/libnsl.so.1
./lib/libutil.so.1
./lib/libcom_err.so.2
./lib/libcrypt.so.1
./lib/ld-linux.so.2
./lib/libdl.so.2
./usr/bin/sftp
./usr/lib/ssh/sftp-server
./usr/lib/libasn1.so.6
./usr/lib/libdb-4.1.so
./usr/lib/libcrypto.so.0.9.7
./usr/lib/libkrb5.so.17
./usr/lib/libroken.so.16
./usr/lib/libgssapi.so.1
11. You can find the dependacies of a file by using the ldd command.
12. Edit your user and set their shell to /usr/bin/rssh.
13. DONE!

Advertisements