HPE Community
Operating System - HP-UX
1753611 Members
5761 Online
108797 Solutions
New Discussion юеВ

Re: SFTP-jailing specific users

 
Yog
Advisor

тАО03-07-2007 07:15 PM

тАО03-07-2007 07:15 PM

SFTP-jailing specific users

Hi,
I am using sftp on one of my development box and
I need your help in fixing following problem.
I have a group of users "datausers".All members of users will be using sftp and should be jailed in directory /var/opt/data.
I do not wish "datausers" or me to create any profile or other system files in that directory since my application will be picking up files kept by them in this directory.users should be upload as well as download files from this directory.
Rest all other users should be having normal access to the system.Anonymous users should not be allowed.
OS Version HP-UX 11.11
Please help!!!
0 Kudos
Reply
6 REPLIES 6
Matti_Kurkela
Honored Contributor

тАО03-08-2007 12:05 AM

тАО03-08-2007 12:05 AM

Re: SFTP-jailing specific users

You should then use a SSH version that is recent enough to support chroot jails. You must also have the UseLogin option in sshd_config file set to NO (which is the default value), otherwise the chroot functionality will not work.

To jail an user, you must set up the user's home directory path so that it contains a single dot.

Examples:
To make the user "datausr1" see /var/opt/data as the root directory (which will also be his home directory):
usermod -d /var/opt/data/./ datausr1

To make the user "datausr2" see /var/opt/data as the /data directory and make it his home directory:
usermod -d /var/opt/./data datausr2

Unfortunately, this cannot be done in a per-group basis: you must modify each datauser account like this.

If you need the users to be able to use sftp only, you don't need much more than this. Attempts to log in to those user accounts using ssh will fail with a "no shell" error message, as there will be no shell binary inside the chroot environment. To prevent the user from connecting using any other methods, you should change the user's shell into something that does not allow access.

If you can reject the login attempts to datauser accounts without any informative messages to the user, you could set the datausers' shell to /bin/false.

You may need to add /bin/false to /etc/shells to allow them connect using sftp (it may be that sftp login requires that the user has a shell that is listed in /etc/shells). As /bin/false will return immediately without accepting any input, the datauser will be immediately disconnected if he manages to log in using any method other than ssh or sftp.
MK
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО03-08-2007 01:56 AM

тАО03-08-2007 01:56 AM

Re: SFTP-jailing specific users

take a look at this doc:

http://docs.hp.com/en/T1471-90011/ch01s12.html

there is a section on chroot'ed users and sftp
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Yog
Advisor

тАО03-08-2007 02:17 AM

тАО03-08-2007 02:17 AM

Re: SFTP-jailing specific users

I tried the solution you mentined but no luck.
I am running another instance of sshd on port 45 with new sshd_config
I am getting following message when tried connecting using coreftp
Can't establish connection --> serverip:45 @ Thu Mar 08 20:42:57 2007 (122-1)
0 Kudos
Reply
Yog
Advisor

тАО03-08-2007 02:20 AM

тАО03-08-2007 02:20 AM

Re: SFTP-jailing specific users

Sorry for confusion.My earlier reply was for Marks solution.
Court,The solution you mentioned does copy lot of files in the jail.My requirement is not to have anything in jail or directories accessible to user but only the files that user uploads.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО03-08-2007 02:52 AM

тАО03-08-2007 02:52 AM

Re: SFTP-jailing specific users

Shalom,

The only thing that should be visible to a jailed user is the files that user recently uploaded. You can write a cron script to move those files elsewhere after the upload has been completed.

Secure shell does not permit anonymous users.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО03-08-2007 03:17 AM

тАО03-08-2007 03:17 AM

Re: SFTP-jailing specific users

Yog,

The thing is that I usually use vsftpd instead of sftp for ftp. I usually set vsftpd up to chroot users to their own home directory. I don't think this can be done easily with sftp.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.