« Home | Turn on DMA mode on a hard drive » | Enable quota in the server » | Signals, really cool! » | Logging server load to /var/log/messages » | Splitting a file in GNU/Linux » | Useful Kernel manipulation commands » | Saturation of open files in the system » | Set up Auto-Logout for root user » | 20 Linux System Monitoring Tools Every SysAdmin Sh... » | How to send email from the Linux command line » 

Wednesday, July 21, 2010 

Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTP

Consider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.


$ rpm -qa | grep -e openssl -e krb -e openssh
openssh-clients-4.3p2-36.el5_4.4
openssh-server-4.3p2-36.el5_4.4
krb5-devel-1.6.1-36.el5_4.1
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openssh-4.3p2-36.el5_4.4
krb5-libs-1.6.1-36.el5_4.1

$ yum install pam pam-devel krb5-devel


Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.

Steps to Upgrade OpenSSH from 4.x - 5.x
=================================

1. Download latest OpenSSH package. You can select any mirror site from this link
     or You can use the link OpenSSH
2. Run the following commands.
    
$ tar -zxf openssh-5.4p1.tar.gz
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make
$ make install

Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config".
4. Change the default port to a non-standard ssh port, say 1234.
5. Save and quit.
7. Run the following command.
  
$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

8. Make sure that both old and new version of SSH are running on the server.

$ ps aux | grep ssh
root     31987  0.0  0.0   7164  1032 ?        Ss   22:48   0:00 /usr/sbin/sshd
root     32280  0.0  0.0   5432   996 ?        Ss   22:48   0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config


9. OpenSSH  upgrade is complete.

Testing Phase
============

You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.

$ ssh test@my.testserver.com -p 1234

You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.

1. Open /usr/local/ssh/etc/sshd_config
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"

Chrooting a User When Connecting via SFTP
===================================

To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.

1. Open the configuration file "/usr/local/ssh/etc/sshd_config".
2. Append the following lines to the configuration file.

Subsystem sftp internal-sftp
Match User testuser
        ChrootDirectory /var/www/html/test
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp


3. You should comment the line: "Subsystem      sftp    /usr/local/ssh/libexec/sftp-server"
4. Save and quit.
5. Terminate the SSH server and start it again using the command:

/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

6. Done

Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.

Note:- "/usr/local/ssh" is the prefix I used for new openssh installation. You should replace it with your prefix.

With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.

Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:

KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key


with the following lines:

KEYGEN=$SSH/bin/ssh-keygen
SSHD=$SSH/sbin/sshd
RSA1_KEY=$SSH/etc/ssh_host_key
RSA_KEY=$SSH/etc/ssh_host_rsa_key
DSA_KEY=$SSH/etc/ssh_host_dsa_key


Save and quit. Restart the openssh server using the command:

/etc/init.d/sshd restart

Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.

$ ps aux | grep ssh
root     11791  0.0  0.0   5432   996 ?        Ss   Mar18   0:00 /usr/local/ssh/sbin/sshd


It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.

$ mv /usr/bin/ssh /usr/bin/ssh-bak
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent


The upgrade and setup of OpenSSH is now complete.


http://kb.bobcares.com/

Add to Google

The Author

  • Nick Perrydoo
  • Spawn at Philippines
My profile

Links


Read Ons

Article of the Day

This Day in History

Today's Birthday

In the News

Quotation of the Day

Word of the Day


Powered by Blogger
and Blogger Templates
© Copyright 2006 Ba-zoo-ra - All Rights Reserved.