HPE Community
Operating System - HP-UX
1753602 Members
6308 Online
108796 Solutions
New Discussion

SFTP limited access to unix directory.

 
SOLVED
Go to solution
NarendraUttekar
Advisor

‎08-03-2011 12:33 AM

‎08-03-2011 12:33 AM

SFTP limited access to unix directory.

Hi,

Is it possible to have limited access to SFTP access to only one directory in HP-UX 11i V1.

 

I will be exchanging the SSH-keys between our system and client system. Client system will SFTP to our system and push the files i.e. put the files /SID/Inbound/files directory. But he should not have access to other directories i.e. /opt , /home , /var , / and any other directories on our system. As i will be creating the unix id for SFTP for client system and that unix id will be member of USERS group and he will be able to access the other directories as read only but i don't want him to have access as read only also for other directories he should be able to access only one directory i.e. /SID/Inbound/files.

 

Please let me know how to setup this restricted access for SFTP.

 

Thanks,

Narendra

0 Kudos
Reply
5 REPLIES 5
Doug O'Leary
Honored Contributor

‎08-03-2011 08:26 AM

‎08-03-2011 08:26 AM

Re: SFTP limited access to unix directory.

Hey;

 

This is one of those things that seems like it should be fairly easy but tends to be very difficult.  Try google searching for 'sftp only' or something along those lines and you'll see the number of people that have asked similar questions.

 

The trick to doing it is to used forced commands.  First, you have to lock your tgt ssh key down to specific commands.  Edit the key and put 

 

command="/root/bin/sshroot" 

 

in front of the key.  Edit/create /root/bin/sshroot to include the following:

 

#begin script:

VC=/root/bin/VALID_COMMANDS


if [ "${SSH_ORIGINAL_COMMAND}x" != "x" ]

then   

   echo "${SSH_ORIGINAL_COMMAND}" | fgrep -f  ${VC} > /dev/null 2>&1   

   if [ $? -eq 0 ]   

   then     

        logger -p auth.info "ssh/pka executed ${SSH_ORIGINAL_COMMAND}"     

        eval "${SSH_ORIGINAL_COMMAND}"   

   else     

       logger -p auth.warning "invalid command for this key!"     

       echo "too bad, software pirate!"     

       exit 1   

   fi

else   

   logger -p auth.warning "non-interactive key attempted interactive login!"   

   echo "too bad, software pirate!"   

   exit 1

fi

# end script

 

I know, there are possibly better ways to write that scrpt, but it works... Updates left as an exercise for the reader.

 

Next, create /root/bin/VALID_COMMANDS to include

 

scp -t -- /SID/inbound/files

 

That *should* be it; however, you'll obviously want to test it out.  If it doesn't work, add a line before or after the logger command to echo the ${SSH_ORIGINAL_COMMAND} value to a file as logger will truncate the line to syslog if it's too long.

 

Hope that helps; it should at least get you started.

 

Doug O'Leary


------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
Reply
Arunabha Banerjee
Valued Contributor

‎08-03-2011 11:07 AM - edited ‎08-03-2011 11:36 AM

‎08-03-2011 11:07 AM - edited ‎08-03-2011 11:36 AM

Re: SFTP limited access to unix directory.

You need to implement chroot for this. To begin, ensure you have OpenSSH 4.9p1 or newer installed. Then edit /opt/ssh/etc/sshd_config file and set the following options:

 

# override default of no subsystems
#Subsystem      sftp    /opt/ssh/libexec/sftp-server
Subsystem       sftp    internal-sftp

 

Match User joe
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no

 

Ensure the “Match” directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command), forces the use of the internal-sftp helper, and disables TCP port forwarding.

 

Restart SSH service:

 

# /sbin/init.d/secsh stop
# /sbin/init.d/secsh start

 

Now follow the below steps:

 

# useradd -g users -s /bin/false -d /SID/Inbound -c "SFTP User Only" -m joe

# passwd joe
# chown root:root /SID/Inbound

# chmod 0755 /SID/Inbound

# chown -R joe:users /SID/Inbound/files

# chmod -R 750 /SID/Inbound/files

 

With the above, user joe can sftp and will be restricted to the /SID/Inbound directory  and he can upload and download file from files directory only. Joe will not able to view any other directory like / , /home, /opt, /tmp etc.

Also Joe will not able to ssh onlly sftp will work.

 

 

AB
Reply
NarendraUttekar
Advisor

‎08-04-2011 12:25 AM

‎08-04-2011 12:25 AM

Re: SFTP limited access to unix directory.

Thanks Arunabha...

I have implemented chroot as you recommended above and also tested on test server and it works perfectly.

 

But I have one question as we have old version of SSH i.e. A.04.30.006 and if I upgrade to latest one i.e. A.05.80.001 will there be any problem with existing SSH-Keys which client has already imported on there system and we are connecting to there system through SFTP without password. After we upgrade to latest version of SSH do we will have to regenerate the SSH-Keys and send once again to client or old SSH keys will continue to work as earlier.

 

Thanks,

Narendra

0 Kudos
Reply
Arunabha Banerjee
Valued Contributor

‎08-04-2011 11:17 AM - edited ‎08-04-2011 11:18 AM

‎08-04-2011 11:17 AM - edited ‎08-04-2011 11:18 AM

Solution

Re: SFTP limited access to unix directory.

Don't need to generate new SSH-keys. Your existing SSH-keys will work in new OpenSSH version.

AB
Reply
Steven E. Protter
Exalted Contributor

‎08-04-2011 11:49 AM

‎08-04-2011 11:49 AM

Re: SFTP limited access to unix directory.

Shalom,

 

Generating new ssh keys will resolve nothing.

 

If chroot is not working post the error message, it may be a setup error.

 

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.