Managing Secure Shell Access in Oracle^® Solaris 11.3

How to Create an Isolated Directory for sftp Files

This procedure configures an sftponly directory that you create specifically for sftp transfers. Users cannot see any files or directories outside this directory.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. On the Secure Shell server, create the isolated directory as a chroot environment.

   # groupadd sftp
   # useradd -m -G sftp -s /bin/false sftponly
   # chown root:root /export/home/sftponly
   # mkdir /export/home/sftponly/WWW
   # chown sftponly:staff /export/home/sftponly/WWW

   In this configuration, /export/home/sftonly is the chroot directory that only the root account has access to. Users have write permission to the sftponly/WWW subdirectory.

2. Still on the server, configure a Match block for the sftp group.

   In the /etc/ssh/sshd_config file, locate the sftp subsystem entry and modify the file as follows:

   # pfedit /etc/ssh/sshd_config
   ...
   ## sftp subsystem
   ##Subsystem       sftp    /usr/lib/ssh/sftp-server
   Subsystem       sftp    internal-sftp
   ...
   ## Match Group for Subsystem
   ## At end of file, to follow all global keywords
   Match Group sftp
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no

   You can use the following variables to specify the chroot path:

   • %h – Specifies the home directory.

   • %u – Specifies the username of the authenticated user.

   • %% – Escapes the % sign.

3. On the client, verify that the configuration works correctly.

   The files in your chroot environment might be different.

   root@client:~# ssh sftponly@server
   This service allows sftp connections only.
   Connection to server closed. No shell access, sftp is enforced.
   root@client:~# sftp sftponly@server
   sftp> pwd sftp access granted
   Remote working directory: /chroot directory looks like root directory
   sftp> ls
   WWW             local.cshrc     local.login     local.profile
   sftp> get local.cshrc
   Fetching /local.cshrc to local.cshrc
   /local.cshrc    100%  166     0.2KB/s   00:00user can read contents
   sftp> put /etc/motd
   Uploading /etc/motd to /motd
   Couldn't get handle: Permission denieduser cannot write to / directory
   sftp> cd WWW
   sftp> put /etc/motd
   Uploading /etc/motd to /WWW/motd
   /etc/motd     100%  118     0.1KB/s   00:00user can write to WWW directory
   sftp> ls -l
   -rw-r--r--    1 101  10    118 Jul 20 09:07 motdsuccessful transfer
   sftp>