Dear all,

I am using WinSCP FTP tool to download files from the Linode.
It is the recommended FTP tool by Linode: http://library.linode.com/networking/fi ... les-winscp

I am using a normal (non-root) unix user to log into the server to backup files on a regular basis. Once logged in, the WinSCP tool displays the whole file system.

How do I provide access only to a users home directory and restrict access to other files and directories.

Thanks,
Avinash

Create SFTP Jails?

http://library.linode.com/security/sftp-jails

Thanks for sharing the link.

1) I am using CentOS 5.6-SP2. Will these changes work?

2) I actually tried and made the changes listed in the website. I am receiving an error when sshd is restarted.

Stopping sshd: [FAILED]
Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]

Post the contents of your sshd_config file, also run

sshd -V

it'll throw an error but it'll print the sshd version you have it could be centos 5 has an old version that doesn't support the match directive

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

sshd -v:

sshd -v
sshd: illegal option -- v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

/etc/sshd_config file:


# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

As defined in the tutorial you said you followed...

You didn't edit the Subsystem line. I would start by fixing that first and then making sure you followed the rest of the tutorial properly.

Good luck!

I have pasted the config file after reverting back to the original configuration.

I did change that to Subsystem sftp internal-sftp.

Regards..

I also noticed conflicting entries, the 'X11Forwarding' value is set to yes in the beginning but at the end we are setting this to 'no'.

Aren't these conflicting?

No, the second one overrides the x11forwarding only for the group 'filetransfer'.

Edited: To make it easier to understand.

Ok, it looks like your sshd is outdated.

I'm sorry for not looking earlier at your answer when someone asked but when checking your reply to what version your running, its obvious yours is quite old.
Yours:

I am pretty sure that match support like your trying to use wasn't added until version 5+ so yours is too outdated to support this option.

I would try updating.

Should I upgrade openssh?

yum update openssh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.sov.uk.goscomb.net
* extras: mirror.sov.uk.goscomb.net
* updates: mirrors.coreix.net
Setting up Update Process
Resolving Dependencies
--> Running transaction check
--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-clien ts
--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-serve r
---> Package openssh.x86_64 0:4.3p2-82.el5 set to be updated
--> Running transaction check
---> Package openssh-clients.x86_64 0:4.3p2-82.el5 set to be updated
---> Package openssh-server.x86_64 0:4.3p2-82.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
openssh x86_64 4.3p2-82.el5 base 291 k
Updating for dependencies:
openssh-clients x86_64 4.3p2-82.el5 base 456 k
openssh-server x86_64 4.3p2-82.el5 base 280 k

Transaction Summary
================================================================================
Install 0 Package(s)
Upgrade 3 Package(s)

Total download size: 1.0 M
Is this ok [y/N]:

Yes, but I'm not sure how repositories work with centos so you may not be updating to a new enough version so be sure to check what version it updates to when done.

Crossing my fingers for ya.

You are right, I finished the update and the version is the same!

sshd -v
sshd: illegal option -- v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]

Ok, the following is from a random website but I updated the instructions for the latest version of openssh available (6.0).


I take no responsibility for how well the above works, I did not make it but found it from this site and did minor editing (5.6 to 6.0) for you.

Let me know how it goes.

p.s. There are other sites with info on building openssh for centos so if this fails, dont give up.

Here's what is happening when I execute the code:

rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openb ... 0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openb ... tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openb ... PG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpm openssh-4.3p2-82.el56.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp ope openssh-clients-4.3p2-82.el5enssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p openssh-server-4.3p2-82.el5URCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -p Loaded plugins: fastestmirror_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb Loading mirror speeds from cached hostfileuname -i` && uname -i && ls -l && rpm * base: mirror.sov.uk.goscomb.net
* extras: mirror.sov.uk.goscomb.net
* updates: mirrors.coreix.net
Setting up Install Process
Package gcc-4.1.2-52.el5.x86_64 already installed and latest version
Package automake-1.9.6-2.3.el5.noarch already installed and latest version
Package autoconf-2.59-12.noarch already installed and latest version
Package libtool-1.5.22-7.el5_4.x86_64 already installed and latest version
Package 1:make-3.81-3.el5.x86_64 already installed and latest version
Package openssl-devel-0.9.8e-22.el5_8.1.x86_64 already installed and latest version
Package openssl-devel-0.9.8e-22.el5_8.1.i386 already installed and latest version
Package pam-devel-0.99.6.2-6.el5_5.2.x86_64 already installed and latest version
Package pam-devel-0.99.6.2-6.el5_5.2.i386 already installed and latest version
Package rpm-build-4.4.2.3-28.el5_8.x86_64 already installed and latest version
Nothing to do
--2012-04-23 12:22:03-- http://ftp.halifax.rwth-aachen.de/openb ... 0p1.tar.gz
Resolving ftp.halifax.rwth-aachen.de... 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1126034 (1.1M) [application/octet-stream]
Saving to: `openssh-6.0p1.tar.gz'

100%[==============================================================================================================================>] 1,126,034 4.58M/s in 0.2s

2012-04-23 12:22:03 (4.58 MB/s) - `openssh-6.0p1.tar.gz' saved [1126034/1126034]

--2012-04-23 12:22:04-- http://ftp.halifax.rwth-aachen.de/openb ... tar.gz.asc
Resolving ftp.halifax.rwth-aachen.de... 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 188 [application/octet-stream]
Saving to: `openssh-6.0p1.tar.gz.asc'

100%[==============================================================================================================================>] 188 --.-K/s in 0s

2012-04-23 12:22:04 (8.08 MB/s) - `openssh-6.0p1.tar.gz.asc' saved [188/188]

-bash: gpg: command not found
--2012-04-23 12:22:04-- http://ftp.halifax.rwth-aachen.de/openb ... PG-KEY.asc
Resolving ftp.halifax.rwth-aachen.de... 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1725 (1.7K) [application/octet-stream]
Saving to: `STDOUT'

0% [ ] 0 --.-K/s in 0s


Cannot write to `-' (Broken pipe).
[root@hostname ~]#


2) I also tried adding the mirror listed in http://mirror.neu.edu.cn/CentALT/readme.txt

rpm -ihv http://download.fedora.redhat.com/pub/e ... noarch.rpm
Retrieving http://download.fedora.redhat.com/pub/e ... noarch.rpm
error: skipping http://download.fedora.redhat.com/pub/e ... noarch.rpm - transfer failed - Unknown or unexpected error


3) yum update

Finished Dependency Resolution
openssh-clients-5.8p2-16.el5.1.x86_64 from CentALT has depsolving problems
--> Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)
Error: Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)
You could try using --skip-broken to work around the problem
You could try running: package-cleanup --problems
package-cleanup --dupes
rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.