Environment
Situation
This technical note describes how to set up the Reflection for Secure IT UNIX Server to chroot users who transfer files with sftp or sftp2 and scp or scp2, and to disable an SSH user's UNIX shell and exec session types.
Note: chroot does not work with scp connections made by OpenSSH clients; OpenSSH scp connections do not use the sftp subsystem that Reflection for Secure IT scp connections use.
Resolution
The steps and examples vary depending on your version.
In Reflection for Secure IT version 7.x:
- Define the users for whom you want to limit file access.
Reflection supports chroot by user and group names, and only with the internal sftp server. The internal sftp server is enabled by default. Uncomment one or both of the keywords in the following example.
In this example for setting up chroot by user and group, the users are named user1 and user2, and the group is named sftpusers.
ChrootSftpUsers = user1,user2ChrootSftpGroups = sftpusersMake sure that sftp-server is enabled; in the sshd2 config, the following line must be uncommented:
Subsystem-sftp = internal://sftp-serverNote the following:
- The Subsystem-sftp default setting is correct and is required to use chroot.
- The user and group names are regular expressions, so you can use settings like:
ChrootSftpUsers = admin.*ChrootSftpGroups = .*dev.*- You do not have to restart the server to enable the keywords. Once you save the sshd2 config file, the functionality provided by the keywords will apply to subsequent connections.
- Connection reuse may fail if the server administrator has configured restricted directory access using ChrootSftpGroups or ChrootSftpUsers.
- Use the SessionRestricted keyword in a subconfig file to prevent shell and exec session types by the users in ChrootSftpUsers or ChrootSftpGroups when they are chrooted.
In the following example, the users in the sftpusers group will be restricted to only subsystem access, while user1 and user2 will continue to have shell and exec access.
- Uncomment the keyword UserSpecificConfig, and for the sftpusers group, point to a subconfig file located in /etc/ssh2/subconfig:
ChrootSftpUsers = user1,user2ChrootSftpGroups = sftpusersSubsystem-sftp = internal://sftp-serverUserSpecificConfig .*%sftpusers /etc/ssh2/subconfig/sftpusers- Create the sftpusers subconfig file to include the following line:
SessionRestricted subsystemMembers of the sftpusers group will no longer be allowed to execute remote commands or access a shell after completing authentication. These users will not be able to transfer files from an scp client that does not use the sftp subsystem.
In the chroot environment, chroot sftp users have an /etc directory that contains two files: rsit.conf and localtime. These files are required for correct product functionality and should not be removed. Removed files will be created again the next time the user logs in.
Note: In addition to the /etc directory, on AIX hosts, /dev/null is required for correct system logging functionality.
In Reflection for Secure IT version 6.1:
- Under the Chrooted environment heading, define the users you want to chroot. Uncomment the line ChRootUsers and add your user(s) to the list. In this example, the user jailuser is being added to the default list:
## Chrooted environmentChRootUsers anonymous,ftp,guest,jailuser- Under /etc/passwd, change the user's shell to the dummy shell. For example, use the command usermod –s /usr/bin/ssh-dummy-shell jailuser to change jailuser's shell. The entry in the passwd file will now look like the following:
jailuser:x:515:515::/home/jailuser:/usr/bin/ssh-dummy-shellThe dummy shell file is often located in the /opt/ssh2/bin or /usr/bin directory. If you are unable to locate the ssh-dummy-shell file, use the UNIX find command.
Note: The dummy shell file is not supported in version 7.0 or higher.
- Stop the sshd2 daemon:
cat /var/run/sshd2_22.pid6611kill -9 6611- Start the ssh server process (sshd2) to force the reloading of the config files:
/usr/sbin/sshd2