HPE Community
Operating System - HP-UX
1819794 Members
3220 Online
109607 Solutions
New Discussion юеВ

restricted secure ftp (sftp) !

 
Ivan Azuara
Regular Advisor

тАО05-19-2005 12:12 PM

тАО05-19-2005 12:12 PM

restricted secure ftp (sftp) !

Hi !

I have a lot of ftp users configured with restricted ftp rules using the ftpaccess file , etc. But now I want to configure some ftp accounts using sftp with the same characteristics.

But when i use de sftp service i receive a close connection message.

In resume i need to define the same funcionallity in ftp restricted over sftp restricted, or the posibility to establish a ftp connection specifying the username in the same command line like in sftp, ej.

# sftp ftpusr1@146.219.220.6

Obviusly i can use de open command with the ftp command but i need that the ftp session remain active in order to interact with some ftp commands like in a normal ftp session.

Somebody have an idea ?

Thank's in advance !
"Enjoy the life .."
0 Kudos
Reply
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО05-19-2005 04:25 PM

тАО05-19-2005 04:25 PM

Re: restricted secure ftp (sftp) !

Checklist:

1)Make sure a firewall is not blocking port 22.
2)ps -ef | grep sshd
If there are no processes running sshd then secure shell/openssh, which is a sftp server is not running.
/sbin/init.d/secsh start

If you can't find it, install secure shell from http://software.hp.com

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Azuara
Regular Advisor

тАО05-20-2005 04:25 AM

тАО05-20-2005 04:25 AM

Re: restricted secure ftp (sftp) !

The firewall isn't closing the port 22, in fact i can establish a good connections trought sftp with other users (check E1). But when i used one of them ftpusers with "Access restrictions" rules applied, using sftp then i have problems (check E2)

E1) Succesfully connection.

# sftp ftppdes1@146.219.220.6
Connecting to 146.219.220.6...
Password:
sftp>

E2) Unsuccesfully connection.

# sftp ftppusr1@146.219.220.6
Connecting to 146.219.220.6...
Password:
Connection to 146.219.220.6 closed by remote host.
Connection closed

Obviously when i use a normal ftp connection, i don├В┬┤t have any problem, look it (E3):

E3)

# ftp 146.219.220.6
Connected to 146.219.220.6.
220 FTP server ready.
Name (146.219.220.6:root): ftppusr1
331 Password required for ftppusr1.
Password:
230 User ftppusr1 logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

My definition of this user in the passwd file is the next:

ftppusr1:*:116:20:ftp user 1,technical support,0567,:/sii_bussiness/bea/user_projects/domains/SII_DOMAIN/logs/./:/usr/bin/ftpshell

My priority is use the ftp user restriction rules with sftp or use ftp user restriction rules specifying the username in the same command line like in sftp.

Best Regards,

Ivan
"Enjoy the life .."
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО05-20-2005 08:14 AM

тАО05-20-2005 08:14 AM

Re: restricted secure ftp (sftp) !

Hi Ivan

You are probably running into issues because of the chrooted env for the user "ftpusr1"

Try this link on how to configure sftp to use the chrooted env for the user.

http://docs.hp.com/en/T1471-90014/ch01s13.html

for sftp / chroot, try this.

http://docs.hp.com/en/T1471-90014/ch01s13.html#babibgef

Hope this helps.

Regds
0 Kudos
Reply
Ermin Borovac
Honored Contributor

тАО05-20-2005 01:26 PM

тАО05-20-2005 01:26 PM

Re: restricted secure ftp (sftp) !

If you are using HP's ssh you can make the use of /opt/ssh/ssh_chroot_setup.sh script to help you setup chroot environment.
0 Kudos
Reply
Denver Osborn
Honored Contributor

тАО05-20-2005 03:21 PM

тАО05-20-2005 03:21 PM

Re: restricted secure ftp (sftp) !

Looks like it could be the user's shell that's preventing the sftp connection for ftpusr1. If you want to make this user an sftp only user, I suppose you could set their shell to

/opt/ssh/libexec/sftp-server

This would allowd them to sftp into the box, and ssh'ing in for shell access wouldn't really get them anywhere...

If you still need help, post the output of

sftp -vvv ftpusr1@146.219.220.6

on the failed session.

hope this helps,
-denver
0 Kudos
Reply
ITSD-ACCS
Frequent Advisor

тАО06-26-2005 08:28 PM

тАО06-26-2005 08:28 PM

Re: restricted secure ftp (sftp) !

I got the same problem as you Ivan. I tried to use the following as the shell and it works ! Meaning I can sftp but user won't be able to login. However, the problem is, when sftp connection started, the user is able to 'cd' anywhere. Does anyone has a clue ? Thank you.

Login name: suser1 (messages off)
Directory: /home/suser1 Shell: /opt/ssh/libexec/sftp-server

0 Kudos
Reply
Jeff Lightner_1
Frequent Advisor

тАО09-28-2005 05:31 AM

тАО09-28-2005 05:31 AM

Re: restricted secure ftp (sftp) !

Found this thread while trying to find out why "sftp only" in the script doesn't actually restrict it to sftp (allows ssh and scp). The fix of changing shell to sftp-server worked for me.

Wanted to note another oddity. Initially I thought I had the issue noted originally that user could cd anywhere. On testing though I found that is only true if I su to the user from root on the server. Doing sftp login to the server from somewhere else DOES restrict it to the chroot.

That means this would only be an issue if the person you give sftp chroot jail access to also has another non-restricted account on the server and does an su from that one to the restricted one. (In fact I didn't test that - only from root - it may only be a problem from the root user.)

However once you set the shell to sftp-user then su is no longer an issue anyway because they don't get a command line shell anyway.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.