For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 5 > rssh


Created by dave. Last edited by dave, 11 years and 278 days ago. Viewed 3,496 times. #4
[diff] [history] [edit] [rdf]
attachments (7152)

Jailing sftp/scp connections


Short notes: this uses the rssh functionality from rpmforge. To set up a jail for $USER:

# chsh -s /usr/bin/rssh $USER
# cd ~$USER
# ls -ld .
(make note of $GROUP)
# /usr/local/sbin/ `pwd` $USER 2755 $GROUP
(lots of noise)
# vi /etc/rssh.conf
- add line like:
  user = $USER:011:00011:$PATH-TO-JAIL
...and you are good to go.


# chsh -s /usr/bin/rssh daveftp
Changing shell for daveftp.
Shell changed.
# cd ~daveftp
# ls -ld .
drwxr-x--- 6 daveftp daveftp 4096 Jun 12 11:33 .
# /usr/local/sbin/ `pwd` daveftp 2775 daveftp
# vi /etc/rssh.conf
  user = daveftp:011:00011:/opt/ftproot/daveftp


  • Fucking around with syslog is left as an exercise for the reader.
  • I copied from >>
  • This isn't as secure as using the built-in chroot'ing in OpenSSH 5.x and higher, but it is a hell of a lot more convenient.
  • If you are making a lot of jails on the same file system, you could probably change the script to make one reference jail, then hard-link all the sharable files (which at first glance appear to be all of them except /etc/group and /etc/passwd) to save some space. On the other hand, the total footprint of a complete, stand-alone jail on CentOS 5.8 is less than 9MB.
  • WinSCP works with these jails.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt