| chrooted SFTP with OpenSSH 5 |
Almost a year without an update. How shameful... Anyhow, here's an article describing the configuration for a new feature in OpenSSH >4.9. The long-awaited, must praised chrooted SFTP!! Read on for the tutorial. Problem: In our example we are using external authentication via AD/pam_winbind; but this procedure should work just as fine for local authentication or other name services as well (nis/pam_ldap). This tutorial will help you automatically create the home directory for the user upon first log in if it doesn't already exist, and then copy various files from /etc/skel. The home directory auto-creation is accomplished with the pam_mkhomedir module. After the user home directory has been created, we will use another pam module called pam_script to change ownership on the top-level of the user's home dir so that the sftp chroot will work correctly. note: chrooted sftp/scp is a new feature in openssh >4.9. Newer linux distributions already include this, but RHEL5/Centos does not. (this is important!!)Openssh tests to ensure the chrooted home directory base is owned by root, and is not writable by any other user or group. This must also be the case for each parent directory in the path from the user's home up to the / on your system. We are going to use pam_script to run a script that will chown the users home to root. However for upload/download dirs they need to be writable/readable by the user account. so we will accomplish this by placing upload/download directories in /etc/skel so the user has an area with correct permissions. This tutorial assumes that you already have a group named sftponly, and accounts that you want to have chrooted sftp are already members of that group. Since the formatting on my CMS went crazy when I tried to import the tutortial, I've decided to post a PDF instead. Here you go: chroot_sftp.pdf
|
No comment posted
mXcomment 1.0.5 © 2007-2009 - visualclinic.fr
License Creative Commons - Some rights reserved
| Next > |
|---|
