- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SFTP limited access to unix directory.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2011 12:33 AM
08-03-2011 12:33 AM
Hi,
Is it possible to have limited access to SFTP access to only one directory in HP-UX 11i V1.
I will be exchanging the SSH-keys between our system and client system. Client system will SFTP to our system and push the files i.e. put the files /SID/Inbound/files directory. But he should not have access to other directories i.e. /opt , /home , /var , / and any other directories on our system. As i will be creating the unix id for SFTP for client system and that unix id will be member of USERS group and he will be able to access the other directories as read only but i don't want him to have access as read only also for other directories he should be able to access only one directory i.e. /SID/Inbound/files.
Please let me know how to setup this restricted access for SFTP.
Thanks,
Narendra
Solved! Go to Solution.
- Tags:
- sftp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2011 08:26 AM
08-03-2011 08:26 AM
Re: SFTP limited access to unix directory.
Hey;
This is one of those things that seems like it should be fairly easy but tends to be very difficult. Try google searching for 'sftp only' or something along those lines and you'll see the number of people that have asked similar questions.
The trick to doing it is to used forced commands. First, you have to lock your tgt ssh key down to specific commands. Edit the key and put
command="/root/bin/sshroot"
in front of the key. Edit/create /root/bin/sshroot to include the following:
#begin script:
VC=/root/bin/VALID_COMMANDS
if [ "${SSH_ORIGINAL_COMMAND}x" != "x" ]
then
echo "${SSH_ORIGINAL_COMMAND}" | fgrep -f ${VC} > /dev/null 2>&1
if [ $? -eq 0 ]
then
logger -p auth.info "ssh/pka executed ${SSH_ORIGINAL_COMMAND}"
eval "${SSH_ORIGINAL_COMMAND}"
else
logger -p auth.warning "invalid command for this key!"
echo "too bad, software pirate!"
exit 1
fi
else
logger -p auth.warning "non-interactive key attempted interactive login!"
echo "too bad, software pirate!"
exit 1
fi
# end script
I know, there are possibly better ways to write that scrpt, but it works... Updates left as an exercise for the reader.
Next, create /root/bin/VALID_COMMANDS to include
scp -t -- /SID/inbound/files
That *should* be it; however, you'll obviously want to test it out. If it doesn't work, add a line before or after the logger command to echo the ${SSH_ORIGINAL_COMMAND} value to a file as logger will truncate the line to syslog if it's too long.
Hope that helps; it should at least get you started.
Doug O'Leary
------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2011 11:07 AM - edited 08-03-2011 11:36 AM
08-03-2011 11:07 AM - edited 08-03-2011 11:36 AM
Re: SFTP limited access to unix directory.
You need to implement chroot for this. To begin, ensure you have OpenSSH 4.9p1 or newer installed. Then edit /opt/ssh/etc/sshd_config file and set the following options:
# override default of no subsystems
#Subsystem sftp /opt/ssh/libexec/sftp-server
Subsystem sftp internal-sftp
Match User joe
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Ensure the “Match” directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command), forces the use of the internal-sftp helper, and disables TCP port forwarding.
Restart SSH service:
# /sbin/init.d/secsh stop
# /sbin/init.d/secsh start
Now follow the below steps:
# useradd -g users -s /bin/false -d /SID/Inbound -c "SFTP User Only" -m joe
# passwd joe
# chown root:root /SID/Inbound
# chmod 0755 /SID/Inbound
# chown -R joe:users /SID/Inbound/files
# chmod -R 750 /SID/Inbound/files
With the above, user joe can sftp and will be restricted to the /SID/Inbound directory and he can upload and download file from files directory only. Joe will not able to view any other directory like / , /home, /opt, /tmp etc.
Also Joe will not able to ssh onlly sftp will work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2011 12:25 AM
08-04-2011 12:25 AM
Re: SFTP limited access to unix directory.
Thanks Arunabha...
I have implemented chroot as you recommended above and also tested on test server and it works perfectly.
But I have one question as we have old version of SSH i.e. A.04.30.006 and if I upgrade to latest one i.e. A.05.80.001 will there be any problem with existing SSH-Keys which client has already imported on there system and we are connecting to there system through SFTP without password. After we upgrade to latest version of SSH do we will have to regenerate the SSH-Keys and send once again to client or old SSH keys will continue to work as earlier.
Thanks,
Narendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2011 11:17 AM - edited 08-04-2011 11:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2011 11:49 AM
08-04-2011 11:49 AM
Re: SFTP limited access to unix directory.
Shalom,
Generating new ssh keys will resolve nothing.
If chroot is not working post the error message, it may be a setup error.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com