openssh sftp chroot

# for RHEL 7
https://wiki.moonshot.ja.net/pages/viewpage.action?pageId=6422607
https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting

#1. for init os config.
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssh-7.7p1.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-1.0.2o.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-fips-2.0.16.tar.gz

yum install -y gcc zlib-devel pam-devel perl

#2. install openssl & openssh
tar zxpf /root/ins/openssl-fips-2.0.16.tar.gz -C /root/ins
cd /root/ins/openssl-fips-2.0.16
./config
make && make install

tar zxpf /root/ins/openssl-1.0.2o.tar.gz -C /root/ins
cd /root/ins/openssl-1.0.2o
./config fips shared --prefix=/usr no-ssl3
make && make install

tar zxpf /root/ins/openssh-7.7p1.tar.gz -C /root/ins
cd /root/ins/openssh-7.7p1
./configure \
    --prefix=/usr \
    --sysconfdir=/etc/ssh \
    --disable-strip \
    --with-ssl-engine \
    --with-ipaddr-display

make && make install

chmod 0600 /etc/ssh/*key
/usr/bin/cp sshd_config /etc/ssh
sed -i "s/notify/focking/g" /usr/lib/systemd/system/sshd.service
systemctl daemon-reload

#3. configuration for sftp.
sed -i '/'Subsystem'/s/^\|^#/#/' /etc/ssh/sshd_config

cat <<EOF>>/etc/ssh/sshd_config
Subsystem sftp internal-sftp
DenyGroups sftpxxx # this one must behand option match.

Match group sftponly
  ChrootDirectory /sftproot/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp -l INFO -f LOCAL5
  PasswordAuthentication no
  ClientAliveInterval 60
  AuthorizedKeysFile /sftproot/%u/.ssh/authorized_keys
EOF

systemctl restart sshd

#4. config chroot sftp logging, 
    for rsyslog 8.24 and openssh-server 7.4p1, OS base on RHEL7
    
cat <<EOF>/etc/rsyslog.d/sftp.conf
\$AddUnixListenSocket /sftproot/sftpu1/dev/log
:msg, contains, "opendir"  stop
:msg, contains, "closedir"  stop
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop
EOF

systemctl restart rsyslog

#5. create user.
groupadd -g 521 sftponly
echo "/bin/false" >> /etc/shells
useradd -M -g sftponly -s /bin/false sftpu1
echo "Foxconn123" | passwd sftpu1 --stdin > /dev/null 2>&1

#6. config sftp user directory permission
由于chroot必须目录是只有root可写，所以我们 ChrootDirectory /sftproot/%u 之后，必须把/sftproot/%u 改为root权限; 另建 %u/data目录，供用户读写；

mkdir -p /sftproot/sftpu1/{data,dev}
chown sftpu1:sftponly /sftproot/sftpu1/data
chmod 700 /sftproot/sftpu1/data

#7. AuthorizedKeysFile config
如果计划使用密钥登陆，authorized_keys密钥文件，需放置在默认的账号目录/sftproot/%u/.ssh
 - /sftproot/%u/.ssh 权限为700
 - /sftproot/%u/.ssh/authorized_keys 权限为600

mkdir -m 700 /sftproot/sftpu1/.ssh
cp ~/.ssh/authorized_keys /sftproot/sftpu1/.ssh/ 
chmod 0600 /sftproot/sftpu1/.ssh/authorized_keys
chown sftpu1:sftponly /sftproot/sftpu1/.ssh -R

说明：
1. Match 引入一个条件块。块的结尾标志是另一个 Match 指令或者文件结尾。如果 Match 行上指定的条件都满足，那么随后的指令将覆盖全局配置中的指令。详细可查询man sshd_config
2. FYI a small update rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
This discusses the use of & stop instead of & ~: 
    https://www.rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html
    The discard action (tilde character) has been replaced by the “stop” RainerScript directive. It is considered more intuitive and offers slightly better performance.
   在rsyslog7后，有此变更；网络上多数文章，就是基于rsyslog5版本。所以此处需要注意
   
3. 写的较完整的一篇文章 https://www.the-art-of-web.com/system/sftp-logging-chroot/

/usr/bin/ld: warning: -z retpolineplt ignored.

https://unix.stackexchange.com/questions/137943/cross-compiling-openssh-for-android
https://www.tecmint.com/find-failed-ssh-login-attempts-in-linux/

说明1，如果ssl 不是安装在/usr 目录， 那么，其它软件将有可能调用不到ssl 库文件； 这情况下处理如下： 
# echo "/usr/local/lib64" > /etc/ld.so.conf
# ldconfig

来源：oschina

链接：https://my.oschina.net/u/3362827/blog/2873611