IBM Support

IBM AIX: Configure an sftp chroot environment

How To


Summary

This technote describes the recommended method for configuring a chroot environment for sftp on AIX®.

Steps

1. Add "/usr/sbin/sftp-server" to the list of login shells in /etc/security/login.cfg. This step is unnecessary if sftp-server is already present in the usw stanza in login.cfg.
chsec -f /etc/security/login.cfg -s usw -a `lssec -f /etc/security/login.cfg -s usw -a shells | awk '{print $2}'`,/usr/sbin/sftp-server
2. Create a directory to hold all the chrooted users. The sftp-server program requires that this directory and all of its parent directories be owned by root and have 700 permissions. Create a separate file system for the users if necessary.
mkdir -p /sftp/sftproot
chown -R root:system /sftp
chmod -R 700 /sftp
3. Create a group for the chrooted sftp users. Make sure the group is set with admin = false. This attribute can be found by running lsgroup on the group. The following command sets admin = false automatically when it creates the group.
mkgroup sftpgrp
4. Create users with (or modify existing users to) have the following attribute settings.
su=false
shell=/usr/sbin/sftp-server
login=false
home=/sftp/sftproot/<user>
pgrp=sftpgrp
rlogin=false
For example,
chuser "su=false" "shell=/usr/sbin/sftp-server" "login=false" "home=/sftp/sftproot/<existing_user>" "pgrp=sftpgrp" "rlogin=false" <existing_user>
If the user's password is set by the root user, remove the ADMCHG flag from it with the following command.
pwdadm -c <user>
5. The sftp-server program requires that each of the users' home directories be owned by root, with group set to the sftp group, and have 750 permissions.
chown root:sftpgrp /sftp/sftproot/<user>
chmod 750 /sftp/sftproot/<user>
6. If users are allowed to upload files, create a writeable directory in that user's home directory for that user to upload files. The sftp-server program requires that it must be owned by the user and the sftp group, and have 700 permissions. The writable directory must be a subdirectory of the user's home directory. It cannot be the home directory itself.
mkdir /sftp/sftproot/<user>/writeabledir
chown <user>:sftpgrp /sftp/sftproot/<user>/writeabledir
chmod 700 /sftp/sftproot/<user>/writeabledir
If users can only download, use 500 permissions on the directory instead.
7. Add the following stanza to the /etc/ssh/sshd_config file.
Match Group sftpgrp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
8. Stop and restart sshd for the change to take effect.
stopsrc -s sshd
startsrc -s sshd

Additional Information

SUPPORT:

If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case.  The product must be under warranty or have an active and valid support contract.

a.  Document or take screen captures of all symptoms, errors, or messages.

b.  Capture any logs or data relevant to the issue.

c.  Contact IBM® to open a case.

   -For electronic support, visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, visit this web page:
      https://www.ibm.com/planetwide/

d.  Provide a detailed description of the issue and reference this technote.

e.  Upload all of the details and data to the case.

   -You can attach files to the case in the IBM Support Community, or
   -Upload data to IBM test case server analysis at this URL:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
22 September 2022

UID

ibm10734507

Page Feedback