Re: Solaris 9 sftp-server
Date: Wed, 9 Apr 2003 18:17:51 +0100 (BST) From: firstname.lastname@example.org To: email@example.com
On Tue, 8 Apr 2003, David M. Fetter wrote:
> You could use something like restricted ksh
> (rksh) or some other restricted shell to tighten down their login access
> in a way that might make it so only SFTP is feasible to use for them.
You can refine this further by forcing the user into a chrooted SFTP-only environment. I can think of two ways to do this (both of which I know work), one hard and one relatively easy (beware, this post will be a bit verbose):
a. The "hard" way (but the one I prefer): Run a chrooted SSH server, listening on another port and/or virtual interface. This server will need its own set of dynamic libraries etc (which will bring joyous memories to those who've set up anonymous users in ftpd/wuftpd), and its own /etc/passwd (which is a good thing, since the SFTP users won't exist in your main unix environment.)
b. The easier way (but more vulnerable to per-user misconfiguration): Set up a chrooted shell that runs just sftp-server.
I really don't like solution (b) due to the many possibilities of creating a hole through misconfiguration, but for the sake of discussion I'll mention a few details:
The SFTP user's shell as set in /etc/passwd (i.e., /the/chroot/shell/mentioned/above):
exec /usr/bin/sudo /usr/mumble/bin/sftp-startup "$HOME"
The file /usr/mumble/bin/sftp-startup looks like:
# ...various arg, error, env and sanity checks...
exec /usr/sbin/chroot "$1" /usr/local/libexec/sftp-server
The rationale is as follows:
- chroot must run as root, hence the SUDO command above, which would run passwordless =8-0 and be available only to the sftp user(s) in question
- $HOME is passed in from the SFTP user's original login environment
- /usr/local/libexec/sftp-server is actually the local copy of sftp-server, i.e., /home/sftpuser/usr/local/libexec/sftp-server
Needless to say (but I'll say it anyway):
- The sftp user, by default, MUST NOT be able to modify ANY file or directory in its homedir (including the homedir itself), except for, possibly, one or more subdirectories into which the user is allowed to write.
- In particular, the user must NOT be able to modify its home directory (set to 500 or 550), nor .ssh directory or its contents.
These cautions apply to both solutions a and b, incidentally.
Hope this helps (and that I've not stated too much of the obvious.)