Centos 5.1 Chrooting SFTP using SCPonly Installation

Verify/Install the following

  • GCC is installed.
  • OpenSSH is installed.
  • Download scponly from: https://sourceforge.net/project/showfiles.php?group_id=155849 and extract it to /tmp

Configure Your Installation

Navigate into the directory in /tmp where you extracted scponly.

Configure with the bellow command:

./configure --enable-chrooted-binary

Build&Install The Binaries

make

make install

This will install your manpage and scponly binary/binaries.

Edit /etc/shells using vi to look like this:  

/bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh /usr/local/sbin/scponlyc

If you want to not use scponly in a chrooted fashion then use the following instead of scponlyc:

/usr/local/bin/scponly

Set up the jail with the following command which invokes a helper script:

make jail

The output will look similar to below:

/usr/bin/install -c -d /usr/local/bin /usr/bin/install -c -d /usr/local/man/man8 /usr/bin/install -c -d /usr/local/etc/scponly /usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8 /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel if test "xscponlyc" != "x"; then \ /usr/bin/install -c -d /usr/local/sbin; \ rm -f /usr/local/sbin/scponlyc; \ cp scponly scponlyc; \ /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; \ fi chmod u+x ./setup_chroot.sh ./setup_chroot.sh

Next we need to set the home directory for this scponly user. please note that the user's home directory MUST NOT be writeable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, a writeable subdirectory will be created that the scponly user can write into. Username to install [scponly]scponly home directory you wish to set for this user [/home/scponly] name of the writeable subdirectory [incoming]files useradd: warning: the home directory already exists. Not copying any file from skel directory into it. creating /home/scponly/files directory for uploading files

Your platform (Linux) does not have a platform specific setup script. This install script will attempt a best guess.

Look to the templates in build_extras/arch. - joe at sublimation dot org please set the password for scponly:

Changing password for user scponly.

  • New UNIX password:
  • Retype new UNIX password: passwd: all authentication tokens updated successfully.

If you experience a warning with winscp regarding groups, please install the provided hacked out fake groups program into your chroot, like so: cp groups /home/scponly/bin/groups

Note: I ran the command mentioned at the end. cp groups /home/scponly/bin/groups Note that this is not the end all for setting up chrooted scponly! During "make jail", for example I used /home/scponly/ as mychroot main path. The following are the final steps I took to get scponly working.

Edit /home/scponly/etc/ld.so.conf and replace its content with :

/lib /usr/lib Type ldconfig -r /home/scponly/ Copy /lib/ld-linux.so.* in /home/scponly/lib/ cp /lib/ld-linux.so.* /home/scponly/lib/

Copy /etc/group in /home/scponly/etc/ cp /etc/group /home/scponly/etc/

Create the folder /home/scponly/etc/selinux

mkdir /home/scponly/etc/selinux

Create a file named config there and insert the following content in this file :  

vi /home/scponly/etc/selinux/config SELINUX=disabled SELINUXTYPE=targeted SETLOCALDEFS=0

Create the folder: mkdir /home/scponly/dev

Create the null device in chroot:

mknod /home/scponly/dev/null c 1 3

Change permissions on the null device:

chmod 666 /home/scponly/dev/null

Blog tags: 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.