How To
Summary
This article describes how to give users chrooted SSH and/or chrooted SFTP access on AIX. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.
Objective
- How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected
- Preserve normal ssh/sftp functionality for most other users
Steps
1) Configure chroot environment
A. Create the chroot directory:
instlab175:/> mkdir /chroot
The permissions of the directory should be as follows:
drwxr-xr-x 7 root system 256 17 Oct 04:10 chroot
B. Create the necessary subdirectories:
instlab175:/> cd /chroot
instlab175:/chroot> mkdir -p dev/pts etc usr/bin usr/sbin usr/lib tmp home
The tmp directory will need 777 permissions.
instlab175:/chroot> chmod 777 tmp
instlab175:/chroot> ls -l
total 0
drwxr-xr-x 3 root system 256 13 Oct 11:40 dev
drwxr-xr-x 2 root system 256 13 Oct 11:40 etc
drwxr-xr-x 2 root system 256 13 Oct 11:40 home
drwxrwxrwx 2 root system 256 13 Oct 11:40 tmp
drwxr-xr-x 5 root system 256 13 Oct 11:40 usr
C. Copy the binaries (and their dependencies) that you want to be available in the chroot environment:
(OS commands won’t work in chrooted environment, so you will have to add the binaries for whatever command you need to run as a chroot user). Typical commands include cd, pwd, ls, mkdir, rmdir, rm, and cp, but you can customize the list to suit your needs.
For each command that you want to add, run ldd on the binary to determine its dependencies. For instance:
instlab175:/chroot> ldd /usr/bin/ls
/usr/bin/ls needs:
/usr/lib/libc.a(shr.o)
/unix
/usr/lib/libcrypt.a(shr.o)
Copy all the necessary commands and their dependencies.
instlab175:/chroot> cp /usr/bin/ls usr/bin
instlab175:/chroot> cp /usr/lib/libc.a usr/lib
instlab175:/chroot> cp /usr/lib/libcrypt.a usr/lib
instlab175:/chroot> cp /usr/bin/ksh usr/bin
instlab175:/chroot> cp /usr/bin/mkdir usr/bin
instlab175:/chroot> cp /usr/bin/rmdir usr/bin
instlab175:/chroot> cp /usr/bin/rm usr/bin
instlab175:/chroot> cp /usr/bin/pwd usr/bin
instlab175:/chroot> cp /usr/bin/cp usr/bin
instlab175:/chroot> cp /usr/lib/libefs.a usr/lib
Repeat the steps above for any other commands that you want to include.
D. Create the necessary devices:
The next step is to create the necessary devices null, zero, tty, and pts/#. The devices in /home/chroot/dev should have the same major and minor numbers and permissions as on the original AIX system. Check the values on the AIX system first, create the devices with "mknod," and assign proper permissions with "chmod" inside the chroot directory.
For instance:
instlab175:/chroot> ls -l /dev/tty
crw-rw-rw- 1 root system 1, 0 13 Oct 11:39 /dev/tty
instlab175:/chroot> ls -l /dev/null
crw-rw-rw- 1 root system 2, 2 13 Oct 12:11 /dev/null
instlab175:/chroot> ls -l /dev/zero
crw-rw-rw- 1 root system 2, 3 11 May 23:37 /dev/zero
instlab175:/chroot>
Now create them in the chroot directory with the mknod command and assign the same permissions as on the original devices:
instlab175:/chroot> mknod dev/tty c 1 0
instlab175:/chroot> mknod dev/null c 2 2
instlab175:/chroot> mknod dev/zero c 2 3
instlab175:/chroot> chmod 666 dev/tty dev/null dev/zero
instlab175:/chroot> ls -al dev
total 0
drwxr-xr-x 3 root system 256 13 Oct 12:12 .
drwxr-xr-x 7 root system 256 13 Oct 11:52 ..
crw-rw-rw- 1 root system 2, 2 13 Oct 12:12 null
drwxr-xr-x 2 root system 256 13 Oct 11:40 pts
crw-rw-rw- 1 root system 1, 0 13 Oct 12:12 tty
crw-rw-rw- 1 root system 2, 3 13 Oct 12:12 zero
Follow the same steps for pts devices. Usually, it is not necessary to have as many pts/# devices in the chroot as in the general AIX environment. On our test system we use 10 pts/# devices from 0 to 9. So, based on the need the pts devices can be created.
To generate the 10 pts devices, do:
/chroot# for i in 0 1 2 3 4 5 6 7 8 9; do mknod /chroot/dev/pts/$i c 22 $i; done
These are the pts devices that we have created for our chroot environment with same permissions as the original pts devices.
instlab175:/chroot> ls -l dev/pts
total 0
crw-r--r-- 1 root system 22, 0 13 Oct 12:23 0
crw-r--r-- 1 root system 22, 1 13 Oct 12:23 1
crw-r--r-- 1 root system 22, 2 13 Oct 12:23 2
crw-r--r-- 1 root system 22, 3 13 Oct 12:23 3
crw-r--r-- 1 root system 22, 4 13 Oct 12:23 4
crw-r--r-- 1 root system 22, 5 13 Oct 12:23 5
crw-r--r-- 1 root system 22, 6 13 Oct 12:23 6
crw-r--r-- 1 root system 22, 7 13 Oct 12:23 7
crw-r--r-- 1 root system 22, 8 13 Oct 12:23 8
crw-r--r-- 1 root system 22, 9 13 Oct 12:23 9
instlab175:/chroot> chmod 666 /chroot/dev/pts/*
instlab175:/chroot> ls -l dev/pts
total 0
crw-rw-rw- 1 root system 22, 0 13 Oct 12:23 0
crw-rw-rw- 1 root system 22, 1 13 Oct 12:23 1
crw-rw-rw- 1 root system 22, 2 13 Oct 12:23 2
crw-rw-rw- 1 root system 22, 3 13 Oct 12:23 3
crw-rw-rw- 1 root system 22, 4 13 Oct 12:23 4
crw-rw-rw- 1 root system 22, 5 13 Oct 12:23 5
crw-rw-rw- 1 root system 22, 6 13 Oct 12:23 6
crw-rw-rw- 1 root system 22, 7 13 Oct 12:23 7
crw-rw-rw- 1 root system 22, 8 13 Oct 12:23 8
crw-rw-rw- 1 root system 22, 9 13 Oct 12:23 9
instlab175:/chroot> chmod 622 /chroot/dev/pts/0
instlab175:/chroot> chown root:security /chroot/dev/pts/0
instlab175:/chroot> ls -al /chroot/dev/pts/0
crw--w--w- 1 root security 22, 0 13 Oct 12:23 /chroot/dev/pts/0
instlab175:/chroot> ls -al /dev/pts/0
crw--w--w- 1 root system 22, 0 13 Oct 12:41 /dev/pts/0
E. Check chroot configuration:
Now that the setup of the basic chroot environment has been finished, check the correct configuration with the chroot command. Only those commands whose binaries and libraries have been copied can be executed (e.g. "ls" and "cp"). To quit the chroot environment, type `exit`.
instlab175:/chroot> chroot /chroot /usr/bin/ksh
instlab175:/> ls
.sh_history dev etc home tmp unix_64 usr
instlab175:/> touch test
/usr/bin/ksh: touch: not found
instlab175:/> exit
2) Restrict the user/group:
A. Create a home directory for the user:
Create a home directory for the user in the chroot environment and the chrooted directory should be a root-owned directory.
To use /chroot as the chroot directory, edit /etc/ssh/sshd_config file and add the following line:
ChrootDirectory /chroot
The permission for the /chroot directory should be as follows:
#chown root:system /chroot
Say you are logging in as a user named "test" in the chrooted environment (Note: The user is any normal user on the system):
The home directory of the user "/home/test" has to be created manually inside /chroot.
#cd /chroot
# ls
bin dev etc home lib tmp unix usr
#cd home
#mkdir test
B. For SFTP to run in the chroot environment, set the Subsystem config option in the /etc/ssh/sshd_config file as follows:
Subsystem sftp internal-sftp
This option simplifies the configurations using the Chroot Directory.
To restrict the usage of the Chroot Directory option in the sshd_config file to a particular user, the 'Match' directive can be used for the specific user, as shown:
Match User <user name>
Chroot Directory <Name of the directory to chroot>
Change this to "Match Group" if you are restricting by group instead of individual users.
The following example shows the configuration in /etc/ssh/sshd_config file:
...
# override default of no subsystems
#Subsystem sftp /usr/sbin/sftp-server
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Match User test
ChrootDirectory /chroot
...
Note: Make sure you add the 'Match' directive at the end of the sshd_config file.
C. Restart sshd for changes to take effect:
# stopsrc -s sshd; startsrc -s sshd
Verify the daemon is active.
# lssrc -s sshd
D. Test the chroot for "test":
instlab175:/> sftp test@localhost
test@localhost's password:
Connected to localhost.
sftp> ls
dev etc home test tmp unix_64 usr vijay
sftp>
sftp> pwd
Remote working directory: /
sftp> cd ..
sftp> ls
dev etc home test tmp unix_64 usr vijay
If you follow the above setup, it should work where - sftp user is confined only to chroot directory and rest of the users be able to do sftp as usual
Additional Information
SUPPORT:
If you have a valid and active IBM Support Subscription, when reporting a issue, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract. The technical support specialist assigned to your case will confirm that you have completed these steps.
a. Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred
b. Capture any logs or data relevant to the situation.
c. Contact IBM to open a case:
-For electronic support, please visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, please visit the web page:
https://www.ibm.com/planetwide/
d. Provide a good description of your issue and reference this technote
e. Upload all of the details and data to your case
-You can attach files to your case in the IBM Support Community
-Or Upload data to IBM testcase server analysis:
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
09 December 2019
UID
ibm10884420