System Administration
Showing results for 
Search instead for 
Did you mean: 

SFTP limited access to unix directory.

Go to solution

SFTP limited access to unix directory.


Is it possible to have limited access to SFTP access to only one directory in HP-UX 11i V1.


I will be exchanging the SSH-keys between our system and client system. Client system will SFTP to our system and push the files i.e. put the files /SID/Inbound/files directory. But he should not have access to other directories i.e. /opt , /home , /var , / and any other directories on our system. As i will be creating the unix id for SFTP for client system and that unix id will be member of USERS group and he will be able to access the other directories as read only but i don't want him to have access as read only also for other directories he should be able to access only one directory i.e. /SID/Inbound/files.


Please let me know how to setup this restricted access for SFTP.




Doug O'Leary
Honored Contributor

Re: SFTP limited access to unix directory.



This is one of those things that seems like it should be fairly easy but tends to be very difficult.  Try google searching for 'sftp only' or something along those lines and you'll see the number of people that have asked similar questions.


The trick to doing it is to used forced commands.  First, you have to lock your tgt ssh key down to specific commands.  Edit the key and put 




in front of the key.  Edit/create /root/bin/sshroot to include the following:


#begin script:


if [ "${SSH_ORIGINAL_COMMAND}x" != "x" ]


   echo "${SSH_ORIGINAL_COMMAND}" | fgrep -f  ${VC} > /dev/null 2>&1   

   if [ $? -eq 0 ]   


        logger -p "ssh/pka executed ${SSH_ORIGINAL_COMMAND}"     

        eval "${SSH_ORIGINAL_COMMAND}"   


       logger -p auth.warning "invalid command for this key!"     

       echo "too bad, software pirate!"     

       exit 1   



   logger -p auth.warning "non-interactive key attempted interactive login!"   

   echo "too bad, software pirate!"   

   exit 1


# end script


I know, there are possibly better ways to write that scrpt, but it works... Updates left as an exercise for the reader.


Next, create /root/bin/VALID_COMMANDS to include


scp -t -- /SID/inbound/files


That *should* be it; however, you'll obviously want to test it out.  If it doesn't work, add a line before or after the logger command to echo the ${SSH_ORIGINAL_COMMAND} value to a file as logger will truncate the line to syslog if it's too long.


Hope that helps; it should at least get you started.


Doug O'Leary

Senior UNIX Admin
O'Leary Computers Inc
Arunabha Banerjee
Valued Contributor

Re: SFTP limited access to unix directory.

You need to implement chroot for this. To begin, ensure you have OpenSSH 4.9p1 or newer installed. Then edit /opt/ssh/etc/sshd_config file and set the following options:


# override default of no subsystems
#Subsystem      sftp    /opt/ssh/libexec/sftp-server
Subsystem       sftp    internal-sftp


Match User joe
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no


Ensure the “Match” directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command), forces the use of the internal-sftp helper, and disables TCP port forwarding.


Restart SSH service:


# /sbin/init.d/secsh stop
# /sbin/init.d/secsh start


Now follow the below steps:


# useradd -g users -s /bin/false -d /SID/Inbound -c "SFTP User Only" -m joe

# passwd joe
# chown root:root /SID/Inbound

# chmod 0755 /SID/Inbound

# chown -R joe:users /SID/Inbound/files

# chmod -R 750 /SID/Inbound/files


With the above, user joe can sftp and will be restricted to the /SID/Inbound directory  and he can upload and download file from files directory only. Joe will not able to view any other directory like / , /home, /opt, /tmp etc.

Also Joe will not able to ssh onlly sftp will work.




Re: SFTP limited access to unix directory.

Thanks Arunabha...

I have implemented chroot as you recommended above and also tested on test server and it works perfectly.


But I have one question as we have old version of SSH i.e. A.04.30.006 and if I upgrade to latest one i.e. A.05.80.001 will there be any problem with existing SSH-Keys which client has already imported on there system and we are connecting to there system through SFTP without password. After we upgrade to latest version of SSH do we will have to regenerate the SSH-Keys and send once again to client or old SSH keys will continue to work as earlier.




Arunabha Banerjee
Valued Contributor

Re: SFTP limited access to unix directory.

Don't need to generate new SSH-keys. Your existing SSH-keys will work in new OpenSSH version.

Steven E. Protter
Exalted Contributor

Re: SFTP limited access to unix directory.



Generating new ssh keys will resolve nothing.


If chroot is not working post the error message, it may be a setup error.



Steven E Protter
Owner of ISN Corporation