Here is what we used to implement with sftp
Title: HP-UX: How to configure a user for SFTP access only, in a chroot'ed environment.
Document ID: 4000115147
Last Modified Date: 3/2/06
PROBLEM
Some users on an HP-UX 11.x system with ssh (Secure Shell) should be
configured to have SFTP access, but these users should not be able to
log in through ssh. Instead, these users should be directed to the
limited environment, often called "chroot'ed" environment.
CONFIGURATION
Operating System - HP-UX
Version - 11.x
Subsystem - ssh
RESOLUTION
HOW TO RESTRICT A USER TO ONLY HAVE SFTP ACCESS (NO SSH):
Create the following shell script for the sftp user on the server,
which you want to deny ssh shell access:
# vi /opt/ssh/etc/sftponly
#<---------------------- begin script ---------------------->
#!/bin/sh
# The shell used here must be /bin/sh
# Shell arguments must be -c /opt/ssh/libexec/sftp-server
if [ "$1" != "-c" -o "$2" != "/opt/ssh/libexec/sftp-server" ]
then
echo "Error: sftpshell only runs the sftp-server program."
exit 1
fi
shift 2
/opt/ssh/libexec/sftp-server $*
#<---------------------- end script ---------------------->
CREATE THE NO-SSH SFTP USER:
1. Adlib from this example by modifying the /etc/passwd file for the
targeted non-ssh sftp user:
# vi /etc/passwd
sftpusr::101:20:no-ssh sftp only user:/home/sftpusr:\
/opt/ssh/etc/sftponly
2. Next, modify the ownership and permissions to this new shell account.
# chmod 555 /opt/ssh/etc/sftponly
# chown bin:bin /opt/ssh/etc/sftponly
CREATE THE NO-SSH SFTP USER USING A CHROOTED DIRECTORY:
If your user is to have a "chrooted" directory follow these steps:
1. Perform the steps above "CREATE THE NO-SFTP USER".
2. Create/convert the no-ssh sftp user to have a chrooted directory
by using this setup tool:
# /opt/ssh/ssh_chroot_setup.sh
Now the password entry would look something like this:
sftpuser::101:20:chrooted no-ssh sftp user:\
/newroot/./home/sftpuser:/opt/ssh/etc/sftponly
3. Complete these no-ssh chrooted configuration steps:
# mkdir /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc
# chown bin:bin /newroot/opt/ssh/etc
# cp /opt/ssh/etc/sftponly /newroot/opt/ssh/etc
# chmod 555 /newroot/opt/ssh/etc/sftponly
# chown bin:bin /newroot/opt/ssh/etc/sftponly
Also be sure these permissions are correct:
# chmod 555 /newroot/*
# chown bin:bin /newroot/*
# ls -al /newroot
drwxr-xr-x 10 root sys 8192 Feb 24 09:22 .
drwxr-xr-x 32 root root 8192 Feb 24 11:55 ..
dr-xr-xr-x 2 root sys 96 Aug 19 2005 bin
dr-xr-xr-x 2 root sys 96 Aug 19 2005 dev
dr-xr-xr-x 2 root sys 96 Aug 19 2005 etc
dr-xr-xr-x 3 root sys 96 Aug 19 2005 home
dr-xr-xr-x 3 root sys 96 Aug 19 2005 opt
dr-xr-xr-x 2 root sys 96 Aug 19 2005 sbin
dr-xr-xr-x 4 root sys 96 Aug 19 2005 usr
dr-xr-xr-x 3 root sys 96 Aug 19 2005 var
4. Lastly, test for no shell to ssh and shell-ok for sftp for the
sftpusr from the client:
$ ssh sftpusr@localhost
Password:
Error: sftpshell only runs the sftp-server program.
Connection to localhost closed.
$ sftp sftpusr@localhost
Connecting to localhost...
Password:
sftp>
Reference:
Doc_id: 4000096265
Title: HP-UX: How to configure a user for SFTP access only
ALT KEYWORDS
"chroot environment"
"chroot'ed environment"
"hpux secure shell"
"hp-ux secure shell"
"secure shell"
chroot
sftp
sftponly
ssh
sshd
