IBM Support

Configure an sftp chroot environment

How To


Summary

This tech note describes the recommended method for configuring a chroot environment for sftp.

Steps

1.  Add "/usr/sbin/sftp-server" to the list of login shells in /etc/security/login.cfg.  (This step is unnecessary if sftp-server is already present in the usw stanza in login.cfg.)

chsec -f /etc/security/login.cfg -s usw -a `lssec -f /etc/security/login.cfg -s usw -a shells | awk '{print $2}'`,/usr/sbin/sftp-server

2.  Create a directory to hold all the chrooted users.  This directory must be owned by root and have 700 permissions.  This is a requirement of sftp-server for chrooted users even if there is only one user.

mkdir /home/sftproot
chown root:system /home/sftproot
chmod 700 /home/sftproot

3.  Create a group for the chrooted sftp user(s).  Make sure the group is "admin = false".  This attribute may be found by running lsgroup on the group.  The command below sets "admin = false" automatically.

mkgroup sftpgrp

4.  Create users with (or modify existing users to) have the following user attribute settings:

su=false
shell=/usr/sbin/sftp-server
login=false
home=/home/sftproot/<user>
pgrp=sftpgrp
rlogin=false

For example:

chuser "su=false" "shell=/usr/sbin/sftp-server" "login=false" "home=/home/sftproot/<user>" "pgrp=sftpgrp" "rlogin=false" <existing_user>

5.  Each of the users' home directories must be owned by root, with group set to the sftp group, and have 750 permissions.  This is a requirement of sftp-server for chrooted users.

chown root:sftpgrp /home/sftproot/<user>
chmod 750 /home/sftproot/<user>

6.  If users are allowed to upload files, create a writeable directory in that user's home directory for that user to upload files.  It must be owned by the user and the sftp group, and should have 700 permissions.  Note that this must be a subdirectory of the user's home directory--it cannot be the home directory itself.  This is a requirement of sftp-server for chrooted users.

mkdir /home/sftproot/<user>/writeable
chown <user>:sftpgrp /home/sftproot/<user>/writeable
chmod 700 /home/sftproot/<user>/writeable

If users may only download files, use 500 permissions on the directory instead.

7.  Add the following stanza to the /etc/ssh/sshd_config file.

Match Group sftpgrp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        PermitTunnel no
        X11Forwarding no

8.  Stop and restart sshd for the change to take effect.

stopsrc -s sshd
startsrc -s sshd

[{"Business Unit":{"code":"BU009","label":"Systems - Server"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
09 October 2018

UID

ibm10734507