Configuring sftp with chroot!

Ivan Azuara — Tue, 02 Sep 2008 15:42:47 GMT

Hi,

I'm using the next procedure to configure a sftp+chroot environment for some final users on my hpux box:

-----------------------------------------------
Title: HP-UX: How to configure a user for SFTP access only, in a chroot'ed environment.
Document ID: 4000115147
Last Modified Date: 3/2/06

PROBLEM
Some users on an HP-UX 11.x system with ssh (Secure Shell) should be
configured to have SFTP access, but these users should not be able to
log in through ssh. Instead, these users should be directed to the
limited environment, often called "chroot'ed" environment.

CONFIGURATION
Operating System - HP-UX
Version - 11.x
Subsystem - ssh
RESOLUTION
HOW TO RESTRICT A USER TO ONLY HAVE SFTP ACCESS (NO SSH):

Create the following shell script for the sftp user on the server,
which you want to deny ssh shell access:

# vi /opt/ssh/etc/sftponly
#<---------------------- begin script ---------------------->
#!/bin/sh
# The shell used here must be /bin/sh
# Shell arguments must be -c /opt/ssh/libexec/sftp-server
if [ "$1" != "-c" -o "$2" != "/opt/ssh/libexec/sftp-server" ]
then
echo "Error: sftpshell only runs the sftp-server program."
exit 1
fi

shift 2
/opt/ssh/libexec/sftp-server $*
#<---------------------- end script ---------------------->

CREATE THE NO-SSH SFTP USER:

1. Adlib from this example by modifying the /etc/passwd file for the
targeted non-ssh sftp user:

# vi /etc/passwd
sftpusr::101:20:no-ssh sftp only user:/home/sftpusr:\
/opt/ssh/etc/sftponly

2. Next, modify the ownership and permissions to this new shell account.

# chmod 555 /opt/ssh/etc/sftponly
# chown bin:bin /opt/ssh/etc/sftponly

CREATE THE NO-SSH SFTP USER USING A CHROOTED DIRECTORY:

If your user is to have a "chrooted" directory follow these steps:

1. Perform the steps above "CREATE THE NO-SFTP USER".

2. Create/convert the no-ssh sftp user to have a chrooted directory
by using this setup tool:

# /opt/ssh/ssh_chroot_setup.sh

Now the password entry would look something like this:

sftpuser::101:20:chrooted no-ssh sftp user:\
/newroot/./home/sftpuser:/opt/ssh/etc/sftponly

3. Complete these no-ssh chrooted configuration steps:

# mkdir /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc
# chown bin:bin /newroot/opt/ssh/etc
# cp /opt/ssh/etc/sftponly /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc/sftponly
# chown bin:bin /newroot/opt/ssh/etc/sftponly

Also be sure these permissions are correct:

# chmod 555 /newroot/*
# chown bin:bin /newroot/*
# ls -al /newroot
drwxr-xr-x 10 root sys 8192 Feb 24 09:22 .
drwxr-xr-x 32 root root 8192 Feb 24 11:55 ..
dr-xr-xr-x 2 root sys 96 Aug 19 2005 bin
dr-xr-xr-x 2 root sys 96 Aug 19 2005 dev
dr-xr-xr-x 2 root sys 96 Aug 19 2005 etc
dr-xr-xr-x 3 root sys 96 Aug 19 2005 home
dr-xr-xr-x 3 root sys 96 Aug 19 2005 opt
dr-xr-xr-x 2 root sys 96 Aug 19 2005 sbin
dr-xr-xr-x 4 root sys 96 Aug 19 2005 usr
dr-xr-xr-x 3 root sys 96 Aug 19 2005 var

4. Lastly, test for no shell to ssh and shell-ok for sftp for the
sftpusr from the client:

$ ssh sftpusr@localhost
Password:
Error: sftpshell only runs the sftp-server program.
Connection to localhost closed.

$ sftp sftpusr@localhost
Connecting to localhost...
Password:
sftp>
-----------------------------------------------

everything work's good after the configuration, but my test user continues leaving his home directory (the chroot doesn´t work). Some idea ???.

I have another questions:

a) What is the configuration file to establish the permissions for the sftp accounts with this configuration ? (like the ftpaccess).
b) Is possible to configure another file system like home directory for the users accounts ??.

My scenario is the next:

- hpux 11.11
- T1471AA A.05.00.024 HP-UX Secure Shell

Test account:

sftpusr:*:118:20:chrooted user:/newroot/./home/sftpusr:/opt/ssh/etc/sftponly

Thank´s in advance.

Re: Configuring sftp with chroot!

John C. Polhemus — Tue, 16 Sep 2008 15:34:50 GMT

Ivan
Here are my notes on how to set up a chroot'd sftponly account. I hope this helps.

A.05.00.025 HP-UX Secure Shell

====================================
To set up chrooted ssh only
=================
The goal here is to have a sftp dedicated account where outside access is
limtited to sftp connections. All successful sftp connections will be
confined to a root jail.

Create user:
uadd -u 151 -d /home/sftpxfr -s /bin/sh -c "chrooted user" sftpxfr

mkdir /home/sfpxfr
chown sftpxfr:ftp /home/sftpxfr
chmod 755 /home/sftpxfr

set password for this user and set up security settngs.

Set up ssh auto-authentication.
su - sftpxfr
mkdir .ssh
cd .ssh
vi authorized_keys
Add keys as necessary
cd ..
chmod 700 .ssh

Test with ssh sftpxfr@servername from another box.

Run setup script /opt/ssh/utils/ssh_chroot_setup.sh . Select option 1 and use
chroot directory /newroot

Create /newroot/tmp directory
mkdir /newroot/tmp ; chmod 1777 /newroot/tmp

cd /newroot/opt/ssh
cp -pr /opt/ssh/utils .

In /opt/ssh/etc/sshd_config add to the end :
Match User sftpxfr
ChrootDirectory /newroot

Restart secsh
/sbin/init.d/secsh stop ; sleep 2 ; /sbin/init.d/secsh start

Update /newroot/etc/passwd
Remove all lines except chroot account entry.
sftpxfr:*:151:203:chrooted user:/home/sftpxfr:/bin/sh

Update /etc/password and update shell to sftponly
sftpxfr:*:151:203:chrooted user:/home/sftpxfr:/opt/ssh/utils/sftponly

Allow sftpxfr permission to write to /newroot/home/sftpxfr
chown sftpxfr:ftp /newroot/home/sftpxfr

Confirm that:
-auto-authentication works for sftp
-ssh to sftpxfr fails
-that sftpxfr user can not see beyond the contents of /newroot.

Regards,
John

topic Configuring sftp with chroot! in Operating System - HP-UX

Configuring sftp with chroot!

Re: Configuring sftp with chroot!