topic Re: restricted secure ftp (sftp) ! in Operating System - HP-UX

restricted secure ftp (sftp) !

Ivan Azuara — Thu, 19 May 2005 19:12:28 GMT

Hi !

I have a lot of ftp users configured with restricted ftp rules using the ftpaccess file , etc. But now I want to configure some ftp accounts using sftp with the same characteristics.

But when i use de sftp service i receive a close connection message.

In resume i need to define the same funcionallity in ftp restricted over sftp restricted, or the posibility to establish a ftp connection specifying the username in the same command line like in sftp, ej.

# sftp ftpusr1@146.219.220.6

Obviusly i can use de open command with the ftp command but i need that the ftp session remain active in order to interact with some ftp commands like in a normal ftp session.

Somebody have an idea ?

Thank's in advance !

Re: restricted secure ftp (sftp) !

Steven E. Protter — Thu, 19 May 2005 23:25:50 GMT

Checklist:

1)Make sure a firewall is not blocking port 22.
2)ps -ef | grep sshd
If there are no processes running sshd then secure shell/openssh, which is a sftp server is not running.
/sbin/init.d/secsh start

If you can't find it, install secure shell from http://software.hp.com

SEP

Re: restricted secure ftp (sftp) !

Ivan Azuara — Fri, 20 May 2005 11:25:09 GMT

The firewall isn't closing the port 22, in fact i can establish a good connections trought sftp with other users (check E1). But when i used one of them ftpusers with "Access restrictions" rules applied, using sftp then i have problems (check E2)

E1) Succesfully connection.

# sftp ftppdes1@146.219.220.6
Connecting to 146.219.220.6...
Password:
sftp>

E2) Unsuccesfully connection.

# sftp ftppusr1@146.219.220.6
Connecting to 146.219.220.6...
Password:
Connection to 146.219.220.6 closed by remote host.
Connection closed

Obviously when i use a normal ftp connection, i donÂ´t have any problem, look it (E3):

E3)

# ftp 146.219.220.6
Connected to 146.219.220.6.
220 FTP server ready.
Name (146.219.220.6:root): ftppusr1
331 Password required for ftppusr1.
Password:
230 User ftppusr1 logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

My definition of this user in the passwd file is the next:

ftppusr1:*:116:20:ftp user 1,technical support,0567,:/sii_bussiness/bea/user_projects/domains/SII_DOMAIN/logs/./:/usr/bin/ftpshell

My priority is use the ftp user restriction rules with sftp or use ftp user restriction rules specifying the username in the same command line like in sftp.

Best Regards,

Ivan

Re: restricted secure ftp (sftp) !

Sanjay_6 — Fri, 20 May 2005 15:14:55 GMT

Hi Ivan

You are probably running into issues because of the chrooted env for the user "ftpusr1"

Try this link on how to configure sftp to use the chrooted env for the user.

http://docs.hp.com/en/T1471-90014/ch01s13.html

for sftp / chroot, try this.

http://docs.hp.com/en/T1471-90014/ch01s13.html#babibgef

Hope this helps.

Regds

Re: restricted secure ftp (sftp) !

Ermin Borovac — Fri, 20 May 2005 20:26:36 GMT

If you are using HP's ssh you can make the use of /opt/ssh/ssh_chroot_setup.sh script to help you setup chroot environment.

Re: restricted secure ftp (sftp) !

Denver Osborn — Fri, 20 May 2005 22:21:50 GMT

Looks like it could be the user's shell that's preventing the sftp connection for ftpusr1. If you want to make this user an sftp only user, I suppose you could set their shell to

/opt/ssh/libexec/sftp-server

This would allowd them to sftp into the box, and ssh'ing in for shell access wouldn't really get them anywhere...

If you still need help, post the output of

sftp -vvv ftpusr1@146.219.220.6

on the failed session.

hope this helps,
-denver

Re: restricted secure ftp (sftp) !

ITSD-ACCS — Mon, 27 Jun 2005 03:28:22 GMT

I got the same problem as you Ivan. I tried to use the following as the shell and it works ! Meaning I can sftp but user won't be able to login. However, the problem is, when sftp connection started, the user is able to 'cd' anywhere. Does anyone has a clue ? Thank you.

Login name: suser1 (messages off)
Directory: /home/suser1 Shell: /opt/ssh/libexec/sftp-server

Re: restricted secure ftp (sftp) !

Jeff Lightner_1 — Wed, 28 Sep 2005 12:31:15 GMT

Found this thread while trying to find out why "sftp only" in the script doesn't actually restrict it to sftp (allows ssh and scp). The fix of changing shell to sftp-server worked for me.

Wanted to note another oddity. Initially I thought I had the issue noted originally that user could cd anywhere. On testing though I found that is only true if I su to the user from root on the server. Doing sftp login to the server from somewhere else DOES restrict it to the chroot.

That means this would only be an issue if the person you give sftp chroot jail access to also has another non-restricted account on the server and does an su from that one to the restricted one. (In fact I didn't test that - only from root - it may only be a problem from the root user.)

However once you set the shell to sftp-user then su is no longer an issue anyway because they don't get a command line shell anyway.