Centos 5.1 Chrooting SFTP using SCPonly
Installation
GCC is installed.
OpenSSH is installed.
Download scponly from: https://sourceforge.net/project/showfiles.php?group_id=155849 and extract it to /tmp
Configure Your Installation
Navigate into the directory in /tmp where you extracted scponly. Configure with the bellow command:./configure --enable-chrooted-binary
Build & Install The Binaries
make
make install
This will install your manpage and scponly binary/binaries.
Edit /etc/shells
using vi to look like this:
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/usr/local/sbin/scponlyc
If you want to not use scponly in a chrooted fashion then use the following instead of scponlyc:
/usr/local/bin/scponly
Set up the jail with the following command which invokes a helper script:
make jail
The output will look similar to below:
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then \
/usr/bin/install -c -d /usr/local/sbin; \
rm -f /usr/local/sbin/scponlyc; \
cp scponly scponlyc; \
/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; \
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]scponly
home directory you wish to set for this user [/home/scponly]
name of the writeable subdirectory [incoming]files
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
creating /home/scponly/files directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for scponly:
Changing password for user scponly.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/scponly/bin/groups
Note: I ran the command mentioned at the end.
cp groups /home/scponly/bin/groups
Note that this is not the end all for setting up chrooted scponly!
During "make jail", for example I used /home/scponly/ as mychroot main path. The following are the final steps I took to get scponly working.
Edit /home/scponly/etc/ld.so.conf and replace its content with :
/lib
/usr/lib
Type ldconfig -r /home/scponly/
Copy /lib/ld-linux.so.* in /home/scponly/lib/
cp /lib/ld-linux.so.* /home/scponly/lib/
Copy /etc/group in /home/scponly/etc/
cp /etc/group /home/scponly/etc/
Create the folder /home/scponly/etc/selinux
mkdir /home/scponly/etc/selinux
Create a file named config there and insert the following content in this file :
vi /home/scponly/etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
SETLOCALDEFS=0
Create the folder:
mkdir /home/scponly/dev
Create the null device in chroot:
mknod /home/scponly/dev/null c 1 3
Change permissions on the null device:
chmod 666 /home/scponly/dev/null