Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTP
Consider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.
Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.
Steps to Upgrade OpenSSH from 4.x - 5.x
=================================
1. Download latest OpenSSH package. You can select any mirror site from this link
or You can use the link OpenSSH
2. Run the following commands.
Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config".
4. Change the default port to a non-standard ssh port, say 1234.
5. Save and quit.
7. Run the following command.
8. Make sure that both old and new version of SSH are running on the server.
9. OpenSSH upgrade is complete.
Testing Phase
============
You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.
You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.
Chrooting a User When Connecting via SFTP
===================================
To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.
1. Open the configuration file "/usr/local/ssh/etc/sshd_config".
2. Append the following lines to the configuration file.
3. You should comment the line: "Subsystem sftp /usr/local/ssh/libexec/sftp-server"
4. Save and quit.
5. Terminate the SSH server and start it again using the command:
6. Done
Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.
Note:- "/usr/local/ssh" is the prefix I used for new openssh installation. You should replace it with your prefix.
With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.
Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:
with the following lines:
Save and quit. Restart the openssh server using the command:
Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.
It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.
The upgrade and setup of OpenSSH is now complete.
http://kb.bobcares.com/
$ rpm -qa | grep -e openssl -e krb -e openssh
openssh-clients-4.3p2-36.el5_4.4
openssh-server-4.3p2-36.el5_4.4
krb5-devel-1.6.1-36.el5_4.1
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openssh-4.3p2-36.el5_4.4
krb5-libs-1.6.1-36.el5_4.1
$ yum install pam pam-devel krb5-devel
openssh-clients-4.3p2-36.el5_4.4
openssh-server-4.3p2-36.el5_4.4
krb5-devel-1.6.1-36.el5_4.1
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openssh-4.3p2-36.el5_4.4
krb5-libs-1.6.1-36.el5_4.1
$ yum install pam pam-devel krb5-devel
Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.
Steps to Upgrade OpenSSH from 4.x - 5.x
=================================
1. Download latest OpenSSH package. You can select any mirror site from this link
or You can use the link OpenSSH
2. Run the following commands.
$ tar -zxf openssh-5.4p1.tar.gz
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make
$ make install
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make
$ make install
Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config".
4. Change the default port to a non-standard ssh port, say 1234.
5. Save and quit.
7. Run the following command.
$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
8. Make sure that both old and new version of SSH are running on the server.
$ ps aux | grep ssh
root 31987 0.0 0.0 7164 1032 ? Ss 22:48 0:00 /usr/sbin/sshd
root 32280 0.0 0.0 5432 996 ? Ss 22:48 0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
root 31987 0.0 0.0 7164 1032 ? Ss 22:48 0:00 /usr/sbin/sshd
root 32280 0.0 0.0 5432 996 ? Ss 22:48 0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
9. OpenSSH upgrade is complete.
Testing Phase
============
You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.
$ ssh test@my.testserver.com -p 1234
You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.
1. Open /usr/local/ssh/etc/sshd_config
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"
Chrooting a User When Connecting via SFTP
===================================
To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.
1. Open the configuration file "/usr/local/ssh/etc/sshd_config".
2. Append the following lines to the configuration file.
Subsystem sftp internal-sftp
Match User testuser
ChrootDirectory /var/www/html/test
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Match User testuser
ChrootDirectory /var/www/html/test
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
3. You should comment the line: "Subsystem sftp /usr/local/ssh/libexec/sftp-server"
4. Save and quit.
5. Terminate the SSH server and start it again using the command:
/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
6. Done
Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.
Note:- "/usr/local/ssh" is the prefix I used for new openssh installation. You should replace it with your prefix.
With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.
Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
with the following lines:
KEYGEN=$SSH/bin/ssh-keygen
SSHD=$SSH/sbin/sshd
RSA1_KEY=$SSH/etc/ssh_host_key
RSA_KEY=$SSH/etc/ssh_host_rsa_key
DSA_KEY=$SSH/etc/ssh_host_dsa_key
SSHD=$SSH/sbin/sshd
RSA1_KEY=$SSH/etc/ssh_host_key
RSA_KEY=$SSH/etc/ssh_host_rsa_key
DSA_KEY=$SSH/etc/ssh_host_dsa_key
Save and quit. Restart the openssh server using the command:
/etc/init.d/sshd restart
Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.
$ ps aux | grep ssh
root 11791 0.0 0.0 5432 996 ? Ss Mar18 0:00 /usr/local/ssh/sbin/sshd
root 11791 0.0 0.0 5432 996 ? Ss Mar18 0:00 /usr/local/ssh/sbin/sshd
It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.
$ mv /usr/bin/ssh /usr/bin/ssh-bak
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
The upgrade and setup of OpenSSH is now complete.
http://kb.bobcares.com/
