System: CentOS 5/6
Prerequisites: openssh >5.2
chroot sftp user home directory is /usr/sftp/i-sftp
- make sure the entire chroot path is owned by root
ls -ld /usr
ls -ld /usr/sftp
ls -ld /usr/sftp/i-sftp -
Add to /etc/ssh/sshd_config
Match User i-sftp
ChrootDirectory %h
ForceCommand internal-sftp -l INFO
GSSAPIAuthentication no
PasswordAuthentication no (yes if using password auth)
PubkeyAuthentication yes (no if keys not allowed)
AllowTcpForwarding no
Banner none -
For key-based authentication add a .ssh directory and create the authorized_keys file. This must also be owned by root:root
sudo mkdir -m 0555 /usr/sftp/i-sftp/.ssh
sudo touch /usr/sftp/i-sftp/.ssh/authorized_keys
sudo chmod 0444 /usr/sftp/i-sftp/.ssh/authorized_keys - Add the necessary public keys to the authorized_keys file
-
Create a directory for the log socket
sudo mkdir -m 0755 /usr/sftp/i-sftp/dev -
Add to /etc/rsyslog.conf
$AddUnixListenSocket /usr/sftp/i-sftp/dev/log
if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~
-
restart rsyslog
sudo service rsyslog restart
Now all sshd and internal-sftp messages will go to /var/log/sshd.log
Don't forget to add sshd.log to logrotate.
