[osol-help] How to jail SFTP

Thu, 11 Mar 2010 00:14:09 PST 

Ok I just tried this on my opensolaris laptop (build 130) and it works fine, 
give this a go:

Step 1: Setup user

root at milwaukee:~# groupadd sftponly
root at milwaukee:~# 
root at milwaukee:~# useradd -g sftponly -m -d /export/home/user1 -s 
/usr/bin/false user1
80 blocks
root at milwaukee:~# 
root at milwaukee:~# passwd user1
New Password: 
Re-enter new Password: 
passwd: password successfully changed for user1

Step 2: Add following to end of /etc/ssh/sshd_config

# SFTP jail setup
Match Group sftponly
        ChrootDirectory %h
        AllowTcpForwarding no

root at milwaukee:~# svcadm restart ssh

Step 3: Change directory permissions to satisfy openssh/sftp.

root at milwaukee:~# ls -ld /export/home/user1/
drwxr-xr-x 2 user1 sftponly 7 2010-03-10 23:16 /export/home/user1/
root at milwaukee:~# 
root at milwaukee:~# chown root /export/home/user1/
root at milwaukee:~# 
root at milwaukee:~# chmod 750 /export/home/user1/

Step 4: Test it out...

root at milwaukee:~# sftp user1 at 127.0.0.1
Connecting to 127.0.0.1...
Password: 
sftp> 
sftp> pwd
Remote working directory: /
sftp> 
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> 
sftp> cd /
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> cd ..
sftp> ls
local.cshrc    local.login    local.profile  
sftp> cd ../..
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 


So its working correctly - the user is jailed to their home directory. 

However you will find you can't write to the home directory:

sftp> 
sftp> mkdir mydir
Couldn't create directory: Permission denied
sftp> 
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> exit

So, Step 5: Create a subdirectory inside home folder that user can write to.

root at milwaukee:~# mkdir /export/home/user1/drop_box
root at milwaukee:~# 
root at milwaukee:~# chown user1:sftponly /export/home/user1/drop_box
root at milwaukee:~# 
root at milwaukee:~# sftp user1 at 127.0.0.1
Connecting to 127.0.0.1...
Password: 
sftp> ls
drop_box       local.cshrc    local.login    local.profile  
sftp> 
sftp> cd drop_box
sftp> ls
sftp> 
sftp> mkdir mydir
sftp> ls
mydir  
sftp> cd mydir
sftp> ls
sftp> 
sftp> put release_vnics.sh
Uploading release_vnics.sh to /drop_box/mydir/release_vnics.sh
release_vnics.sh                                                                
                                           100%  100     0.1KB/s   00:00    
sftp> 
sftp> quit


PS 
Notice that interactive ssh sessions are disabled via the use of the false 
shell when adding the account.
The forcecommand is not mentioned in the opensolaris man page and from the 
errors does not seem to be supported. Because the user has no shell and only 
sftp access I believe the same outcome is achieved anyhow.
-- 
This message posted from opensolaris.org

Reply via email to