Friday, 29 May 2009

Centos 5.1 Chrooting SFTP using SCPonly

Centos 5.1 Chrooting SFTP using SCPonly


GCC is installed.

OpenSSH is installed.

Download scponly from: and extract it to /tmp

Configure Your Installation

Navigate into the directory in /tmp where you extracted scponly. Configure with the bellow command:

./configure --enable-chrooted-binary

Build & Install The Binaries


make install

This will install your manpage and scponly binary/binaries.

Edit /etc/shells using vi to look like this:








If you want to not use scponly in a chrooted fashion then use the following instead of scponlyc:


Set up the jail with the following command which invokes a helper script:

make jail

The output will look similar to below:

/usr/bin/install -c -d /usr/local/bin

/usr/bin/install -c -d /usr/local/man/man8

/usr/bin/install -c -d /usr/local/etc/scponly

/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly

/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8

/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel

if test "xscponlyc" != "x"; then \

/usr/bin/install -c -d /usr/local/sbin; \

rm -f /usr/local/sbin/scponlyc; \

cp scponly scponlyc; \

/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; \


chmod u+x ./


Next we need to set the home directory for this scponly user.

please note that the user's home directory MUST NOT be writeable

by the scponly user. this is important so that the scponly user

cannot subvert the .ssh configuration parameters.

for this reason, a writeable subdirectory will be created that

the scponly user can write into.

Username to install [scponly]scponly

home directory you wish to set for this user [/home/scponly]

name of the writeable subdirectory [incoming]files

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.

creating /home/scponly/files directory for uploading files

Your platform (Linux) does not have a platform specific setup script.

This install script will attempt a best guess.

If you perform customizations, please consider sending me your changes.

Look to the templates in build_extras/arch.

- joe at sublimation dot org

please set the password for scponly:

Changing password for user scponly.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

if you experience a warning with winscp regarding groups, please install

the provided hacked out fake groups program into your chroot, like so:

cp groups /home/scponly/bin/groups

Note: I ran the command mentioned at the end.

cp groups /home/scponly/bin/groups

Note that this is not the end all for setting up chrooted scponly!

During "make jail", for example I used /home/scponly/ as mychroot main path. The following are the final steps I took to get scponly working.

Edit /home/scponly/etc/ and replace its content with :



Type ldconfig -r /home/scponly/

Copy /lib/* in /home/scponly/lib/

cp /lib/* /home/scponly/lib/

Copy /etc/group in /home/scponly/etc/

cp /etc/group /home/scponly/etc/

Create the folder /home/scponly/etc/selinux

mkdir /home/scponly/etc/selinux

Create a file named config there and insert the following content in this file :

vi /home/scponly/etc/selinux/config




Create the folder:

mkdir /home/scponly/dev

Create the null device in chroot:

mknod /home/scponly/dev/null c 1 3

Change permissions on the null device:

chmod 666 /home/scponly/dev/null

No comments:

Post a Comment