System: CentOS 5/6
Prerequisites: openssh >5.2
chroot sftp user home directory is /usr/sftp/i-sftp
- make sure the entire chroot path is owned by root
ls -ld /usr
ls -ld /usr/sftp
ls -ld /usr/sftp/i-sftp -
Add to /etc/ssh/sshd_config
Match User i-sftp
ChrootDirectory %h
ForceCommand internal-sftp -l INFO
GSSAPIAuthentication no
PasswordAuthentication no (yes if using password auth)
PubkeyAuthentication yes (no if keys not allowed)
AllowTcpForwarding no
Banner none -
For key-based authentication add a .ssh directory and create the authorized_keys file. This must also be owned by root:root
sudo mkdir -m 0555 /usr/sftp/i-sftp/.ssh
sudo touch /usr/sftp/i-sftp/.ssh/authorized_keys
sudo chmod 0444 /usr/sftp/i-sftp/.ssh/authorized_keys - Add the necessary public keys to the authorized_keys file
-
Create a directory for the log socket
sudo mkdir -m 0755 /usr/sftp/i-sftp/dev -
Add to /etc/rsyslog.conf
$AddUnixListenSocket /usr/sftp/i-sftp/dev/log
if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~
-
restart rsyslog
sudo service rsyslog restart
Now all sshd and internal-sftp messages will go to /var/log/sshd.log
Don't forget to add sshd.log to logrotate.
No comments:
Post a Comment
Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.
Note: Only a member of this blog may post a comment.