Support chroot for SCP connections on CentOS 5.5

Many thanks to anomie for posting this great writeup. I've pasted it below to help spread the wealth.


Here's a quick recipe for your chrooted sftp daemon:

1. Create the sftp init script - <strong>/etc/init.d/sftpfoo</strong>
#!/bin/bash## chkconfig: 35 60 25# description: OpenSSH chrooted sftp only daemon## Note that /usr/sbin/sftpfoo is simply a symlink to /usr/sbin/sshd#


case "${1}" in

start  ) exec -a /usr/sbin/sftpfoo /usr/sbin/sshd -f /etc/ssh/sftpfoo_config
stop   ) kill -9 $(cat ${pidfile})
restart) stop
sleep 3
*      ) echo "Usage: ${0} (start|stop|restart)"


exit 0

2. Add it to chkconfig(8) consciousness and set up a symlink you'll need later.

# chkconfig --add sftpfoo# ln -s /usr/sbin/sshd /usr/sbin/sftpfoo

3. Create your sftp config file - <strong>/etc/ssh/sftpfoo_config</strong>

Port 8822Protocol 2AddressFamily inet

SyslogFacility AUTHPRIV
LogLevel INFO

PermitRootLogin no

RSAAuthentication no
PubkeyAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

UsePAM no

PidFile /var/run/

ChrootDirectory /home/chrooted
Subsystem sftp internal-sftp

4. Create your first sftp-only user

# useradd -d /nowhere -M -s /sbin/nologin baruser

5. Create the chroot directory

# mkdir -p /home/chrooted &amp;&amp; chmod 755 /home/chrooted

6. Start the sftp service

# service sftpfoo start

Now, log in remotely as baruser, specifying port 8822. (Remember to poke a hole in your firewall for this port.)