This procedure configures an sftponly directory that you create specifically for sftp transfers. Users cannot see any files or directories outside this directory.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
# groupadd sftp # useradd -m -G sftp -s /bin/false sftponly # chown root:root /export/home/sftponly # mkdir /export/home/sftponly/WWW # chown sftponly:staff /export/home/sftponly/WWW
In this configuration, /export/home/sftonly is the chroot directory that only the root account has access to. Users have write permission to the sftponly/WWW subdirectory.
In the /etc/ssh/sshd_config file, locate the sftp subsystem entry and modify the file as follows:
# pfedit /etc/ssh/sshd_config ... ## Match Group for Subsystem ## At end of file, to follow all global options Match Group sftp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no
You can use the following variables to specify the chroot path:
%h – Specifies the home directory.
%u – Specifies the username of the authenticated user.
%% – Escapes the % sign.
The files in your chroot environment might be different.
root@client:~# ssh sftponly@server This service allows sftp connections only. Connection to server closed. No shell access, sftp is enforced. root@client:~# sftp sftponly@server sftp> pwd sftp access granted Remote working directory: /chroot directory looks like root directory sftp> ls WWW local.cshrc local.login local.profile sftp> get local.cshrc Fetching /local.cshrc to local.cshrc /local.cshrc 100% 166 0.2KB/s 00:00user can read contents sftp> put /etc/motd Uploading /etc/motd to /motd Couldn't get handle: Permission denieduser cannot write to / directory sftp> cd WWW sftp> put /etc/motd Uploading /etc/motd to /WWW/motd /etc/motd 100% 118 0.1KB/s 00:00user can write to WWW directory sftp> ls -l -rw-r--r-- 1 101 10 118 Jul 20 09:07 motdsuccessful transfer sftp>