Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.4

Exit Print View

Updated: June 2019

How to Create an Isolated Directory for sftp Files

This procedure configures an sftponly directory that you create specifically for sftp transfers. Users cannot see any files or directories outside this directory.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. On the Secure Shell server, create the isolated directory as a chroot environment.
    # groupadd sftp
    # useradd -m -G sftp -s /bin/false sftponly
    # chown root:root /export/home/sftponly
    # mkdir /export/home/sftponly/WWW
    # chown sftponly:staff /export/home/sftponly/WWW

    In this configuration, /export/home/sftonly is the chroot directory that only the root account has access to. Users have write permission to the sftponly/WWW subdirectory.

  2. Still on the server, configure a Match block for the sftp group.

    In the /etc/ssh/sshd_config file, locate the sftp subsystem entry and modify the file as follows:

    # pfedit /etc/ssh/sshd_config
    ## Match Group for Subsystem
    ## At end of file, to follow all global options
    Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

      You can use the following variables to specify the chroot path:

    • %h – Specifies the home directory.

    • %u – Specifies the username of the authenticated user.

    • %% – Escapes the % sign.

  3. On the client, verify that the configuration works correctly.

    The files in your chroot environment might be different.

    root@client:~# ssh sftponly@server
    This service allows sftp connections only.
    Connection to server closed. No shell access, sftp is enforced.
    root@client:~# sftp sftponly@server
    sftp> pwd sftp access granted
    Remote working directory: /chroot directory looks like root directory
    sftp> ls
    WWW             local.cshrc     local.login     local.profile
    sftp> get local.cshrc
    Fetching /local.cshrc to local.cshrc
    /local.cshrc    100%  166     0.2KB/s   00:00user can read contents
    sftp> put /etc/motd
    Uploading /etc/motd to /motd
    Couldn't get handle: Permission denieduser cannot write to / directory
    sftp> cd WWW
    sftp> put /etc/motd
    Uploading /etc/motd to /WWW/motd
    /etc/motd     100%  118     0.1KB/s   00:00user can write to WWW directory
    sftp> ls -l
    -rw-r--r--    1 101  10    118 Jul 20 09:07 motdsuccessful transfer