[HPADM] SUMMARY Restricted SFTP without user being able to SSH into server

From: James J. Perry (jjperry_at_water.com)
Date: 04/01/05

  • Next message: Lee J Kendrick: "[HPADM] Off topic - I need a SCO BTLD for a Dell 2400 PERC2/Si scsi raid card" 
    Date: Fri, 1 Apr 2005 10:42:47 -0500
To: <hpux-admin@dutchworks.nl>

    While I managed to get a few replies from the list that suggested
    scponly, they suggestions did not fit the desired security level. I did
    amazingly get a simple and workable solution from HP. I have added it
    here so that it will assist others that may have to perform the same
    configuration:

     

    1. Setup a chroot environment for sftp.
    http://www.docs.hp.com/en/T1471-90014/ch01s13.html

    2. Setup script logging to allow only the sftp-server process to be a
    valid app for login.

    #!/bin/sh

     

    #

    # sftponly shell

    #

    # Shell arguments must be -c /opt/ssh/libexec/sftp-server echo $1 >>
    /tmp/ftponly.log if [ "$1" != "-c" -o "$2" !=
    "/opt/ssh/libexec/sftp-server" ]

       then

       echo "Error: sftpshell only runs the sftp-server program."

       exit 1

       fi

     

    shift 2

     /opt/ssh/libexec/sftp-server $*

     

     

    For the above script to work you would have to create an account with
    this script as the shell for the account. Here is an example;

     

     

    sftponly:ZDsDOEvJmtJw.:144:20::/home/sftponly:/tmp/sftponly.sh

     

     

    The setup works like a champ and resolved the issue.

     

       -Jim

     

     

    Original Message:

    We are migrating to servers where security policy dictates secure ftp
    sessions only. In the past we just used restricted FTP with the user's
    shell prompt set to /bin/false or /etc/ftponly.

     

    When I do an sftp to that server, I get a message "illegal user XYZ from
    ip ..." and the access is denied. When I set the shell to /bin/sh, I
    can sftp into the server, but it is not directory restricted to their
    home directory. Also, the user can use SSH to login to the server,
    which is most undesirable.

     

    I have dug around on man pages, Googled, and looked at OpenSSH.org, but
    cannot find out a way to configure the sshd or sftp to make sftp work
    like restricted FTP.

     

       Thanks

       -Jim

      

    --
             ---> Please post QUESTIONS and SUMMARIES only!! <---
        To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
       Name: hpux-admin@dutchworks.nl     Owner: owner-hpux-admin@dutchworks.nl
 
 Archives:  ftp.dutchworks.nl:/pub/digests/hpux-admin       (FTP, browse only)
            http://www.dutchworks.nl/htbin/hpsysadmin   (Web, browse & search)
  • Next message: Lee J Kendrick: "[HPADM] Off topic - I need a SCO BTLD for a Dell 2400 PERC2/Si scsi raid card"

    Relevant Pages

    • Re: Difference between SCP and SFTP ?
      ... It depends on the server implementation. ... programs on the user's behalf with $SHELL -c, and furthermore the sftp ... subsystem (as well as an external program which can be used). ...
      (comp.security.ssh)
    • Re: SPAM sudden increase
      ... > Dude was on a tech call with f-secure and the tech asked, "So, ... dude is trying to FTP to their server using WSFTP. ... but I think he is talking about sftp protocol - FTP via ...
      (alt.2600)
    • using java with sftp
      ... JCraft JSch package to SFTP files. ... //First Create a JSch session ... System.err.println("Unable to connect to FTP server. ...
      (comp.lang.java.programmer)
    • Re: using java with sftp
      ... JCraft JSch package to SFTP files. ... //First Create a JSch session ... System.err.println("Unable to connect to FTP server. ...
      (comp.lang.java.programmer)
    • Re: Pasting via ssh causes data loss
      ... sftp of the file to the remote and ... I then opened an ssh session to a FreeBSD ... errors shown on the interface of the server? ...
      (freebsd-questions)