openssh sftp chroot

# for RHEL 7
https://wiki.moonshot.ja.net/pages/viewpage.action?pageId=6422607
https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting

#1. for init os config.
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssh-7.7p1.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-1.0.2o.tar.gz
wget --directory-prefix=/root/ins http://10.245.254.171/linux/DFS/openssh/openssl-fips-2.0.16.tar.gz

yum install -y gcc zlib-devel pam-devel perl

#2. install openssl & openssh
tar zxpf /root/ins/openssl-fips-2.0.16.tar.gz -C /root/ins
cd /root/ins/openssl-fips-2.0.16
./config
make && make install

tar zxpf /root/ins/openssl-1.0.2o.tar.gz -C /root/ins
cd /root/ins/openssl-1.0.2o
./config fips shared --prefix=/usr no-ssl3
make && make install

tar zxpf /root/ins/openssh-7.7p1.tar.gz -C /root/ins
cd /root/ins/openssh-7.7p1
./configure \
    --prefix=/usr \
    --sysconfdir=/etc/ssh \
    --disable-strip \
    --with-ssl-engine \
    --with-ipaddr-display

make && make install

chmod 0600 /etc/ssh/*key
/usr/bin/cp sshd_config /etc/ssh
sed -i "s/notify/focking/g" /usr/lib/systemd/system/sshd.service
systemctl daemon-reload

#3. configuration for sftp.
sed -i '/'Subsystem'/s/^\|^#/#/' /etc/ssh/sshd_config

cat <<EOF>>/etc/ssh/sshd_config
Subsystem sftp internal-sftp
DenyGroups sftpxxx # this one must behand option match.

Match group sftponly
  ChrootDirectory /sftproot/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp -l INFO -f LOCAL5
  PasswordAuthentication no
  ClientAliveInterval 60
  AuthorizedKeysFile /sftproot/%u/.ssh/authorized_keys
EOF

systemctl restart sshd

#4. config chroot sftp logging, 
    for rsyslog 8.24 and openssh-server 7.4p1, OS base on RHEL7
    
cat <<EOF>/etc/rsyslog.d/sftp.conf
\$AddUnixListenSocket /sftproot/sftpu1/dev/log
:msg, contains, "opendir"  stop
:msg, contains, "closedir"  stop
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop
EOF

systemctl restart rsyslog

#5. create user.
groupadd -g 521 sftponly
echo "/bin/false" >> /etc/shells
useradd -M -g sftponly -s /bin/false sftpu1
echo "Foxconn123" | passwd sftpu1 --stdin > /dev/null 2>&1

#6. config sftp user directory permission
因爲chroot必須目錄是隻有root可寫，因此咱們 ChrootDirectory /sftproot/%u 以後，必須把/sftproot/%u 改成root權限; 另建 %u/data目錄，供用戶讀寫；

mkdir -p /sftproot/sftpu1/{data,dev}
chown sftpu1:sftponly /sftproot/sftpu1/data
chmod 700 /sftproot/sftpu1/data

#7. AuthorizedKeysFile config
若是計劃使用密鑰登錄，authorized_keys密鑰文件，需放置在默認的帳號目錄/sftproot/%u/.ssh
 - /sftproot/%u/.ssh 權限爲700
 - /sftproot/%u/.ssh/authorized_keys 權限爲600

mkdir -m 700 /sftproot/sftpu1/.ssh
cp ~/.ssh/authorized_keys /sftproot/sftpu1/.ssh/ 
chmod 0600 /sftproot/sftpu1/.ssh/authorized_keys
chown sftpu1:sftponly /sftproot/sftpu1/.ssh -R

說明：
1. Match 引入一個條件塊。塊的結尾標誌是另外一個 Match 指令或者文件結尾。若是 Match 行上指定的條件都知足，那麼隨後的指令將覆蓋全局配置中的指令。詳細可查詢man sshd_config
2. FYI a small update rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
This discusses the use of & stop instead of & ~: 
    https://www.rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html
    The discard action (tilde character) has been replaced by the 「stop」 RainerScript directive. It is considered more intuitive and offers slightly better performance.
   在rsyslog7後，有此變動；網絡上多數文章，就是基於rsyslog5版本。因此此處須要注意
   
3. 寫的較完整的一篇文章 https://www.the-art-of-web.com/system/sftp-logging-chroot/

/usr/bin/ld: warning: -z retpolineplt ignored.

https://unix.stackexchange.com/questions/137943/cross-compiling-openssh-for-android
https://www.tecmint.com/find-failed-ssh-login-attempts-in-linux/

說明1，若是ssl 不是安裝在/usr 目錄， 那麼，其它軟件將有可能調用不到ssl 庫文件； 這狀況下處理以下：  # echo "/usr/local/lib64" > /etc/ld.so.conf # ldconfig