IBM Support

IBM AIX Q&A: Restrict SFTP Access on AIX

Question & Answer


Question

How to restrict SFTP access on AIX

Answer

The following information outlines the steps of the SSHD configuration to restrict SFTP access

Restrict SFTP only access to a jail directory

1. Add a Match stanza to the end of the /etc/ssh/sshd_config file by matching User or Group. And then use ForceCommand and ChrootDirectory inside a Match block.

Match User user1,user2

or

Match Group sftponly

2. Use ForceCommand with internal-sftp to force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory.

ForceCommand internal-sftp

3. Use ChrootDirectory to specify the pathname of a jail directory to chroot.

ChrootDirectory /jail

Note:

a. The /jail directory is owned by root with the 755 permission. All components of the pathname are root-owned directories and are not writable by any other user or group. And need to create subdirectory with appropriate permission if allow sftp only user upload file

b. The /home directory on AIX is not owned by root. So can not specify the home directory to chroot by ChrootDirectory %h or ChrootDirectory /home.

4. Lock down some of the additional capabilities such as tunneling, authentication agent, TCP and X11 forwarding. To restrict sftponly group users only access to a jail directory, the whole Match stanza looks like this

Match Group sftponly

  ForceCommand internal-sftp

  ChrootDirectory /jail

  PermitTunnel no

  AllowAgentForwarding no

  AllowTcpForwarding no

  X11Forwarding no

Disallow SFTP completely

1. Disable sftp subsystem by comment out the below line in the /etc/ssh/sshd_config file

Subsystem       sftp    /usr/sbin/sftp-server

2. The sftp command with the -s sftp_server flag grant access even the remote disable sftp subsystem. So need to get rid of the /usr/sbin/sftp-server binary altogether.

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation.

c.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your case

   -You can attach files to your case in the IBM Support Community
   -Or Upload data to IBM testcase server analysis:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

More support for:
AIX

Software version:
All Versions

Operating system(s):
AIX

Document number:
886005

Modified date:
30 May 2019

UID

ibm10886005

Manage My Notification Subscriptions

Page Feedback