Exit Points for the Secure File Transfer Protocol (SFTP)?

Troubleshooting

Problem

This document provides information on exit points for SFTP in the IBM i PASE environment to restrict user access.

Resolving The Problem

The IBM i implementation of OpenSSH uses the publicly available OpenSSH source code; therefore, no SFTP exit points are provided.

Currently, it is not possible to allow only SFTP PUT operations, but restrict SFTP GET operations . The client user-id will need *RX authority for all of the directories down to their $HOME directory in order to connect; in other words, *RX on '/' and '/home' if their $HOME directory is '/home/joeuser'.

With *RX authority, the user would be able to get files from '/' and '/home' in addition to getting and putting files into '/home/joeuser'. If the user can live with the limitation of getting from the parent directories of their $HOME, they could potentially restrict access for the user to other directories off of that path; therefore, they could not go elsewhere.

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Historical Number

488595079

Was this topic helpful?

Document Information

Modified date:
11 November 2019

UID

nas8N1013645

Tips