[SoCoSA/discuss] sftp chroot

Kevan Benson kbenson at a-1networks.com
Fri Feb 22 09:37:23 PST 2008 

Sean wrote:
> I need to chroot ssh, which I've been able to do, but as a consequence
> when I try to sftp into my server my ftp clients state that sftp isn't
> installed/enabled on the server (Unable to initialize SFTP:  (sftp not
> enabled?) ). As far as I can tell I've copied over all the right
> binaries, libs, etc, but can't confirm it as, oddly, I can't find good
> documentation on the subject.
> 
> Does anyone know what I need to make ftp available to the user's
> chrooted environment? I need the proftp chroot to be the user's home
> directory. To complicate things, there's a 3rd party app in the middle
> of this.
> 
> I may need some hands-on help with this. Is anyone willing to swap
> computer parts/favors/work/etc to help me out with this? I'm in Santa
> Rosa for those that don't know.

The way I do it is to run ldd on the existing binaries in the chroot 
(sftp-server, etc), and copy over the equivalent libraries they rely on. 
  Also, don't forget to copy in cp, ls, mv, etc, (and runn ldd on them 
as well) as ftp sources these to do listings, renames, etc.  Then, 
chroot to the chroot you set up, and run ldconfig.  Make sure to copy in 
/dev/null and /dev/zero...

Here's a file listing of one of my ssh chroots on a CentOS 4 box.  It 
might be a little bloated:
./sbin/ldconfig
./lib/libacl.so.1.1.0
./lib/libtermcap.so.2.0.8
./lib/ld-2.3.4.so
./lib/libdl-2.3.4.so
./lib/tls/libpthread-2.3.4.so
./lib/tls/libm-2.3.4.so
./lib/tls/librt-2.3.4.so
./lib/tls/libc-2.3.4.so
./lib/libselinux.so.1
./lib/libattr.so.1.1.0
./usr/lib/libncurses++.a
./usr/lib/libkrb5.a
./usr/lib/libkrb5.so.3.2
./usr/lib/libk5crypto.so.3.0
./usr/lib/libbeecrypt.a
./usr/lib/libz.a
./usr/lib/libbeecrypt.so.6.2.0
./usr/lib/libbz2.a
./usr/lib/libncursesw.so.5.4
./usr/lib/libbeecrypt.la
./usr/lib/libgssapi_krb5.a
./usr/lib/libncurses_g.a
./usr/lib/libk5crypto.a
./usr/lib/libelf-0.97.1.so
./usr/lib/libelf.a
./usr/lib/libpopt.so.0.0.0
./usr/lib/libncursesw.a
./usr/lib/libpopt.a
./usr/lib/libncursesw_g.a
./usr/lib/libdl.a
./usr/lib/libgssapi_krb5.so.2.2
./usr/lib/libncurses++w.a
./usr/lib/libncurses.a
./usr/lib/libpopt.la
./usr/lib/libcom_err.a
./usr/lib/libbz2.so.1.0.2
./usr/lib/libncurses.so.5.4
./usr/lib/libz.so.1.2.1.2
./usr/libexec/openssh/sftp-server
./usr/libexec/openssh/ssh-keysign
./etc/ld.so.cache
./etc/ld.so.conf
./bin/ls
./bin/cp
./bin/mv
./bin/bash
./bin/rmdir
./bin/mkdir
./bin/rm


-- 

-Kevan Benson
-A-1 Networks

More information about the discuss mailing list