Consider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.
$ rpm -qa | grep -e openssl -e krb -e openssh
$ yum install pam pam-devel krb5-devel
Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.
Steps to Upgrade OpenSSH from 4.x - 5.x
1. Download latest OpenSSH package. You can select any mirror site from this link
or You can use the link OpenSSH
2. Run the following commands.
$ tar -zxf openssh-5.4p1.tar.gz
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make install
Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config
4. Change the default port to a non-standard ssh port, say 1234
5. Save and quit.
7. Run the following command.
$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
8. Make sure that both old and new version of SSH are running on the server.
$ ps aux | grep ssh
root 31987 0.0 0.0 7164 1032 ? Ss 22:48 0:00 /usr/sbin/sshd
root 32280 0.0 0.0 5432 996 ? Ss 22:48 0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
9. OpenSSH upgrade is complete.
You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.
$ ssh email@example.com -p 1234
You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.
1. Open /usr/local/ssh/etc/sshd_config
Chrooting a User When Connecting via SFTP
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"
To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.
1. Open the configuration file "/usr/local/ssh/etc/sshd_config
2. Append the following lines to the configuration file.
Subsystem sftp internal-sftp
Match User testuser
3. You should comment the line: "Subsystem sftp /usr/local/ssh/libexec/sftp-server
4. Save and quit.
5. Terminate the SSH server and start it again using the command:
/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config
Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.
" is the prefix I used for new openssh installation. You should replace it with your prefix.
With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.
Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:
with the following lines:
Save and quit. Restart the openssh server using the command:
Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.
$ ps aux | grep ssh
root 11791 0.0 0.0 5432 996 ? Ss Mar18 0:00 /usr/local/ssh/sbin/sshd
It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.
$ mv /usr/bin/ssh /usr/bin/ssh-bak
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent
The upgrade and setup of OpenSSH is now complete.