HPE Community
Operating System - HP-UX
1833772 Members
2043 Online
110063 Solutions
New Discussion

How to create restricted sftp account ?

 
SOLVED
Go to solution
ITSD-ACCS
Frequent Advisor

‎07-21-2005 07:02 PM

‎07-21-2005 07:02 PM

How to create restricted sftp account ?

Hi,

I am able to create a sftp only account by pointing to a self-created shell called /opt/ssh/etc/ftponly. However when I login, the user is able to 'cd' to everywhere. May I know how to restrict it ?

Thanks !
0 Kudos
Reply
11 REPLIES 11
Devender Khatana
Honored Contributor

‎07-21-2005 07:34 PM

‎07-21-2005 07:34 PM

Re: How to create restricted sftp account ?

Hi,

Have a look at the latest doc related to sftp. Allthough this can be controlled by ftpaccess also if you are using ftpaccess file.

http://docs.hp.com/en/T1471-90013/ch01s02.html

From man ftpaccess :-
============================================
The user's home directory must be properly set up, exactly as anonymous FTP would be. The home directory field of the passwd
entry is divided into two directories. The first field is the root directory which will be the argument to the chroot call.
The second half is the user's home directory relative to the root directory. The two halves are separated by a /./.

Example:
In the /etc/passwd file, the sample entry is:

guest1::100:92:Guest Account:/ftp/./incoming:/etc/ftponly

When guest1 successfully logs in, the ftp server will chroot(/ftp) and then chdir (/incoming). The guest user will only be able to access the directory structure under /ftp (which will look and act as / to uest1), just as an anonymous FTP user would.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
ITSD-ACCS
Frequent Advisor

‎07-28-2005 03:20 PM

‎07-28-2005 03:20 PM

Re: How to create restricted sftp account ?

His the situation, the default directory MUST be as follow only. Could u be more specific to restrict him in going anywhere other than his own Directory as below ?

In /etc/passwd, I have
RMD:Oj9hHfaJL5f8E:116:20:,,,:/proj/is/prod/download/RMD:/opt/ssh/etc/sftponly

Anyone can help me ? Many Thanks.
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

‎07-28-2005 04:37 PM

‎07-28-2005 04:37 PM

Re: How to create restricted sftp account ?

I guess /opt/ssh/etc/sftponly shell will restrict the user to use only sftp. But the shell can not restrict user about 'cd' to everywhere. For that you need a chroot cage.

Try the following if you use HP Secure Shell

1.configure the user as a chroot user using the /opt/ssh/ssh_chroot_setup.sh script.

2. Edit /etc/passwd file to change the default shell to /opt/ssh/etc/sftponly

This will restrict the user to use only sftp in a chroot-ed directory.

All the best.
0 Kudos
Reply
ITSD-ACCS
Frequent Advisor

‎07-28-2005 05:58 PM

‎07-28-2005 05:58 PM

Re: How to create restricted sftp account ?

I have run the script, and here is the result why I try in localhost. Username is for example 'RMD'.

>sftp RMD@0
Connecting to 0...
Password:
sftp> ls
. ..
sftp> cd ..
sftp> ls
. .. RMD

You can see I can netgivate to upper level. How to fix it ?
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

‎07-28-2005 08:55 PM

‎07-28-2005 08:55 PM

Solution

Re: How to create restricted sftp account ?

Yes, This is the expected behaviour..But note that the chroot-ed user can move up only to the level of restricted new root. The user can't move everywhere.

You can note the difference by trying 'ls /' with normal user login and also with 'ls /' with chroot user login.

For information about chroot refer
/opt/ssh/README.hp

Hope this helps.
Reply
ITSD-ACCS
Frequent Advisor

‎07-31-2005 06:53 PM

‎07-31-2005 06:53 PM

Re: How to create restricted sftp account ?

Right ! I can jail the user now ! Thank you ! However, once I changed the default shell from /bin/sh to /opt/ssh/etc/sftponly shell in /etc/passwd, my connection was closed. I don't want the user to have shell access to server.

Do I really need to upload A.03.91.002 HP-UX Secure Shell ? I tried to copy the lib/gss but still no used.

0 Kudos
Reply
generic_1
Respected Contributor

‎07-31-2005 07:08 PM

‎07-31-2005 07:08 PM

Re: How to create restricted sftp account ?

You can use permissions and ownerhips to limit them too remember :).
0 Kudos
Reply
ITSD-ACCS
Frequent Advisor

‎07-31-2005 07:16 PM

‎07-31-2005 07:16 PM

Re: How to create restricted sftp account ?

No, I only allow that user to sftp only without the shell access. N
Now, I have 'Connection Closed' if I used /opt/ssh/etc/sftponly (meaning no shell). Or I can jail the user with sftp only, but with shell access if I used /bin/sh. Any one can help ?
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

‎07-31-2005 09:10 PM

‎07-31-2005 09:10 PM

Re: How to create restricted sftp account ?

Try the method specified in the link

http://www.darklab.net/resources/hpux-mailinglist/3665.html


All The Best
0 Kudos
Reply
ITSD-ACCS
Frequent Advisor

‎08-02-2005 02:21 PM

‎08-02-2005 02:21 PM

Re: How to create restricted sftp account ?

Michael, This is what I have already done in the very beginning. If I changed to sftponly.sh, I got "Connection Closed". If I simply use /bin/sh, it works fine, but I don't want that user to have shell. I even upload the A4.00 Secure Shell.

Anyone can help ?
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

‎08-02-2005 04:51 PM

‎08-02-2005 04:51 PM

Re: How to create restricted sftp account ?

Just a minor thing,

Have you copied the sftponly.sh to /newroot/bin/ ?. This is required because chroot user can access the "/bin" directory which is under the chroot environment. Try copying the sftpolnly shell to the chroot directory.

All The Best.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.