Re: OpenSSH-5.3p1 selinux problem on CentOS-5.4.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Just for the reference if you want to keep SELINUX enabled and create
a new instance of sshd (with the stock CentOS 5.4 sshd) with sftp only
you can do the following:

-create a copy of /etc/ssh/sshd_config e.g.
cp /etc/ssh/sshd_config /etc/ssh/sftpd_config

-chage /add the following lines in sftpd_config
Port 1234
ChrootDirectory %h
Subsystem	sftp	internal-sftp
AllowUsers externaluser


-let SELINUX know that port 1234 (or whatever you put in your
sftpd_config)  is of type ssh_port_t

semanage port -a -t ssh_port_t -p tcp -n 1234

-make sure that the sftp user's home directory respects the
requirements of ChrootDirectory sshd_config directive :  This path,
and all its components, must be root-owned directories that are not
writable by any other user or group. For file transfer sessions using
“sftp”, no additional configuration of the environment is necessary if
the in-process sftp server is used
chown root  /home/externaluser
chmod g-w /home/externaluser

-create a directory in which externaluser will be able to write
mkdir /home/externaluser/upload
chown externaluser /home/externaluser/upload

- create a copy of /etc/init.d/sshd init script
cp /etc/init.d/sshd /etc/init.d/sftpd
- modify it to reflect the sftpd_config config file and a new pid file
- make it start automatically
chkconfig sftpd --add sftp

Radu
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux