topic Re: sftp sessions and /usr/bin/false in Operating System - HP-UX

sftp sessions and /usr/bin/false

Allan Campbell — Tue, 03 Apr 2007 08:38:32 GMT

I just read a previous message that stated that ftp looks at /etc/shells to see if a valid shell is used for a user. What about sftp? On my system I restrict the user with /usr/bin/false. The /etc/shells has this line in it (permissions are 555). sftp does not work for this user unless I change the shell to /usr/bin/ksh (or sh or csh). Is it possible I have an outdated /usr/bin/false? Mine is size of 12288 dated November of 2000.

Re: sftp sessions and /usr/bin/false

Sundar_7 — Tue, 03 Apr 2007 09:35:41 GMT

Allan,

I dont think there is such thing as "old" /usr/bin/false. It is just a place holder for the login program (which is typically a shell), so that the user will only have FTP access and not be able to open a terminal session using telnet or other mechanism.

Sundar.

Re: sftp sessions and /usr/bin/false

Heironimus — Tue, 03 Apr 2007 10:34:50 GMT

In spite of the similarity in naming, sftp is totally different from ftp. It needs a shell that can exec sftp-server. That means either a real shell or a special shell specifically for scp/sftp, such as rssh or scponly.

Re: sftp sessions and /usr/bin/false

Rasheed Tamton — Sat, 07 Apr 2007 07:57:29 GMT

Did you try the rssh (restricted ssh)

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp.

http://www.pizzashack.org/rssh/

Re: sftp sessions and /usr/bin/false

Allan Campbell — Sat, 07 Apr 2007 15:57:53 GMT

I have tried rssh. It doesn't work for me. I get the same results. Then I tried HPs secure shell with no success. At this point I have given up and am using ksh for the user's shell and restricting their ability to not be able to log in directly to my server.

Re: sftp sessions and /usr/bin/false

MikeL_4 — Thu, 12 Apr 2007 08:36:23 GMT

Here is what we used to implement with sftp

Title: HP-UX: How to configure a user for SFTP access only, in a chroot'ed environment.
Document ID: 4000115147
Last Modified Date: 3/2/06

PROBLEM
Some users on an HP-UX 11.x system with ssh (Secure Shell) should be
configured to have SFTP access, but these users should not be able to
log in through ssh. Instead, these users should be directed to the
limited environment, often called "chroot'ed" environment.

CONFIGURATION
Operating System - HP-UX
Version - 11.x
Subsystem - ssh
RESOLUTION
HOW TO RESTRICT A USER TO ONLY HAVE SFTP ACCESS (NO SSH):

Create the following shell script for the sftp user on the server,
which you want to deny ssh shell access:

# vi /opt/ssh/etc/sftponly
#<---------------------- begin script ---------------------->
#!/bin/sh
# The shell used here must be /bin/sh
# Shell arguments must be -c /opt/ssh/libexec/sftp-server
if [ "$1" != "-c" -o "$2" != "/opt/ssh/libexec/sftp-server" ]
then
echo "Error: sftpshell only runs the sftp-server program."
exit 1
fi

shift 2
/opt/ssh/libexec/sftp-server $*
#<---------------------- end script ---------------------->

CREATE THE NO-SSH SFTP USER:

1. Adlib from this example by modifying the /etc/passwd file for the
targeted non-ssh sftp user:

# vi /etc/passwd
sftpusr::101:20:no-ssh sftp only user:/home/sftpusr:\
/opt/ssh/etc/sftponly

2. Next, modify the ownership and permissions to this new shell account.

# chmod 555 /opt/ssh/etc/sftponly
# chown bin:bin /opt/ssh/etc/sftponly

CREATE THE NO-SSH SFTP USER USING A CHROOTED DIRECTORY:

If your user is to have a "chrooted" directory follow these steps:

1. Perform the steps above "CREATE THE NO-SFTP USER".

2. Create/convert the no-ssh sftp user to have a chrooted directory
by using this setup tool:

# /opt/ssh/ssh_chroot_setup.sh

Now the password entry would look something like this:

sftpuser::101:20:chrooted no-ssh sftp user:\
/newroot/./home/sftpuser:/opt/ssh/etc/sftponly

3. Complete these no-ssh chrooted configuration steps:

# mkdir /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc
# chown bin:bin /newroot/opt/ssh/etc
# cp /opt/ssh/etc/sftponly /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc/sftponly
# chown bin:bin /newroot/opt/ssh/etc/sftponly

Also be sure these permissions are correct:

# chmod 555 /newroot/*
# chown bin:bin /newroot/*
# ls -al /newroot
drwxr-xr-x 10 root sys 8192 Feb 24 09:22 .
drwxr-xr-x 32 root root 8192 Feb 24 11:55 ..
dr-xr-xr-x 2 root sys 96 Aug 19 2005 bin
dr-xr-xr-x 2 root sys 96 Aug 19 2005 dev
dr-xr-xr-x 2 root sys 96 Aug 19 2005 etc
dr-xr-xr-x 3 root sys 96 Aug 19 2005 home
dr-xr-xr-x 3 root sys 96 Aug 19 2005 opt
dr-xr-xr-x 2 root sys 96 Aug 19 2005 sbin
dr-xr-xr-x 4 root sys 96 Aug 19 2005 usr
dr-xr-xr-x 3 root sys 96 Aug 19 2005 var

4. Lastly, test for no shell to ssh and shell-ok for sftp for the
sftpusr from the client:

$ ssh sftpusr@localhost
Password:
Error: sftpshell only runs the sftp-server program.
Connection to localhost closed.

$ sftp sftpusr@localhost
Connecting to localhost...
Password:
sftp>

Reference:

Doc_id: 4000096265
Title: HP-UX: How to configure a user for SFTP access only

ALT KEYWORDS
"chroot environment"
"chroot'ed environment"
"hpux secure shell"
"hp-ux secure shell"
"secure shell"
chroot
sftp
sftponly
ssh
sshd

Re: sftp sessions and /usr/bin/false

Allan Campbell — Mon, 16 Apr 2007 09:27:57 GMT

Getting close, the sftponly script really helped. Howevever, if I want the "chrooted" solution, what you have here is a little lacking. I don't have the ssh_chroot_setup.sh script (which I am assuming is your home grown script?). And creating of the /newroot/... directories - I know that there should be something in them unless the setup script does that. I could not get the chrooted solution to work at all.

Re: sftp sessions and /usr/bin/false

Heironimus — Mon, 16 Apr 2007 13:59:09 GMT

I think the chroot setup script is part of HP's ssh package, and chroot functionality is a patch they include in their build. It copies the necessary files in to the chroot directory.

Re: sftp sessions and /usr/bin/false

Allan Campbell — Tue, 17 Apr 2007 13:40:08 GMT

I believe the chroot problem has something to do with this being a trusted system. I found the file, still no help. We are also using openssh - not HP's version of SSH. Our current solution is to try using "HP's version which is currently based on 4.4p1 of BSD's open source software". I should be good to go now.

Re: sftp sessions and /usr/bin/false

Heironimus — Tue, 17 Apr 2007 15:18:54 GMT

Once upon a time I built a working chroot ssh environment on 11.11 with a trusted system, so it should work. But yes, you have to use HP's SSH package, when I last looked generic OpenSSH did not support chroot users (unless you patch it yourself, of course).