Re: [osol-help] How to jail SFTP

Thu, 11 Mar 2010 00:14:56 -0800 

Ok I just tried this on my opensolaris laptop (build 130) and it works fine, 
give this a go:

Step 1: Setup user

r...@milwaukee:~# groupadd sftponly
r...@milwaukee:~# 
r...@milwaukee:~# useradd -g sftponly -m -d /export/home/user1 -s 
/usr/bin/false user1
80 blocks
r...@milwaukee:~# 
r...@milwaukee:~# passwd user1
New Password: 
Re-enter new Password: 
passwd: password successfully changed for user1

Step 2: Add following to end of /etc/ssh/sshd_config

# SFTP jail setup
Match Group sftponly
        ChrootDirectory %h
        AllowTcpForwarding no

r...@milwaukee:~# svcadm restart ssh

Step 3: Change directory permissions to satisfy openssh/sftp.

r...@milwaukee:~# ls -ld /export/home/user1/
drwxr-xr-x 2 user1 sftponly 7 2010-03-10 23:16 /export/home/user1/
r...@milwaukee:~# 
r...@milwaukee:~# chown root /export/home/user1/
r...@milwaukee:~# 
r...@milwaukee:~# chmod 750 /export/home/user1/

Step 4: Test it out...

r...@milwaukee:~# sftp us...@127.0.0.1
Connecting to 127.0.0.1...
Password: 
sftp> 
sftp> pwd
Remote working directory: /
sftp> 
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> 
sftp> cd /
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> cd ..
sftp> ls
local.cshrc    local.login    local.profile  
sftp> cd ../..
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 


So its working correctly - the user is jailed to their home directory. 

However you will find you can't write to the home directory:

sftp> 
sftp> mkdir mydir
Couldn't create directory: Permission denied
sftp> 
sftp> ls
local.cshrc    local.login    local.profile  
sftp> 
sftp> exit

So, Step 5: Create a subdirectory inside home folder that user can write to.

r...@milwaukee:~# mkdir /export/home/user1/drop_box
r...@milwaukee:~# 
r...@milwaukee:~# chown user1:sftponly /export/home/user1/drop_box
r...@milwaukee:~# 
r...@milwaukee:~# sftp us...@127.0.0.1
Connecting to 127.0.0.1...
Password: 
sftp> ls
drop_box       local.cshrc    local.login    local.profile  
sftp> 
sftp> cd drop_box
sftp> ls
sftp> 
sftp> mkdir mydir
sftp> ls
mydir  
sftp> cd mydir
sftp> ls
sftp> 
sftp> put release_vnics.sh
Uploading release_vnics.sh to /drop_box/mydir/release_vnics.sh
release_vnics.sh                                                                
                                           100%  100     0.1KB/s   00:00    
sftp> 
sftp> quit


PS 
Notice that interactive ssh sessions are disabled via the use of the false 
shell when adding the account.
The forcecommand is not mentioned in the opensolaris man page and from the 
errors does not seem to be supported. Because the user has no shell and only 
sftp access I believe the same outcome is achieved anyhow.
-- 
This message posted from opensolaris.org
_______________________________________________
opensolaris-help mailing list
opensolaris-help@opensolaris.org

Reply via email to