Creating a FTP server is one thing, but trying to setup a SECURE-FTP, aka SFTP, that prevents users from traversing into the server is a whole other issue.

After weeks of trying to figure this out, I thought it would be interesting to post to the public. Here is my first how to for the Internets, and it’s all thanks to Google and Adam…

I first started with a clean CentOS 5 install, with nothing but development tools and libraries…

Then I did the following:

$ yum update

$ yum install wget

Next was to install the zlib to /opt…

$ cd /usr/local/src

$ mkdir zlib

$ cd zlib

$ wget http://www.zlib.net/zlib123.zip

$ unzip zlib123.zip

$ make

$ make install prefix=/opt/zlib/

Then install openssl…

$ cd /usr/local/src

$ wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz

$ tar zxvf openssl-0.9.8k.tar.gz

$ cd openssl-0.9.8k

$ ./config –prefix=/opt/openssl –openssldir=/opt/openssl

$ make

$ make install

Finally, install OpenSSH 5.2 with all the proper libraries…

$ cd /usr/local/src

$ wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

$ tar xvzf openssh-5.2p1.tar.gz

$ cd openssh-5.2p1

CHECK XAUTH:

$ which xauth

Mine returned –> /usr/bin/xauth so I made sure “–with-xauth—> ‘/usr/bin/xauth’”

$ ./configure –prefix=/opt/openssh –with-ssl-dir=/opt/openssl –with-xauth=/usr/bin/xauth –with-zlib=/opt/zlib

$ make

$ make install

Now you can configure your sshd & sshd_config…

$ vi /etc/init.d/sshd

Replace this:

KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key

….with this:

KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

To test your configuration:

$ /etc/init.d/sshd restart

$ yum install telnet

$ telnet localhost 22

You should get this….

Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.2

$ vi /opt/openssh/etc/sshd_config

At the bottom replace everything down starting with:

Subsystem sftp….

…with this:

Subsystem       sftp    internal-sftp

Match Group sftpusers
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no

If you want to make sure everything is happy before you start, restart the sshd service one more time…

$ /etc/init.d/sshd restart

or

$ service sshd restart

Now let’s add the sftp user group. You can name it anything you want, just make sure it matches what you added to the sshd_config. In this case I’ll use sftpusers to the /home directory.

$ groupadd sftpusers

$ chown root:root /home

After all of this is done you can go ahead and setup a user to that group:

$ useradd -g sftpusers -s /bin/false -d /home/*USERNAME* *USERNAME*

$ passwd *USERNAME*

Ok, now that the user is setup you have to set the correct permissions or the whole connection won’t work right.

$ chown root:root /home/*USERNAME*

$ chmod 755 /home/*USERNAME*

$ mkdir /home/*USERNAME*/files

$  chown *USERNAME*:sftpusers /home/*USERNAME*/files

…and you’re done! Simple right?

Next tutorial is how to setup a lamp box…with optional ODBC connections to a windows Sybase database (even though no one really connects to a Sybase database on a Windows server from Linux….*sigh*).