Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

How to Set Up chroot for SFTP Access Only in Reflection for Secure IT or F-Secure SSH UNIX Server
Technical Note 1917
Last Reviewed 01-Feb-2008
Applies To
Reflection for Secure IT UNIX Server version 6.0 or higher
F-Secure SSH Server for UNIX version 3.30 through 5.x
Summary

This technical note describes how to set up the UNIX feature, chroot, to disable a user's UNIX shell and allow SFTP access only in either the Reflection or F-Secure SSH UNIX Server.

Note: Beginning with version 6.0, the F-Secure SSH product line has a new name, "Reflection for Secure IT."

What is chroot?

Use chroot to change your system's root directory (/) for a specified process, such as the Reflection or F-Secure SSH UNIX Server. See your UNIX host documentation or man pages for more information.

Setting Up chroot in the SSH UNIX Server

To set up chroot, you must make the following modifications to the sshd2_config file. By default, this file is located in the /etc/ssh2 directory.

The steps and examples vary depending on your version.

In Reflection for Secure IT 7.x:

  1. Under the Chrooted environment heading, define the users you want to chroot.

Reflection supports chroot by user and group names, and with the internal sftp server only. Uncomment the relevant lines under the Chrooted environment section heading and add your user(s) to the list.

In this example for setting up chroot by user, the user is named jailuser:

## Chrooted environment
ChrootSftpUsers = jailuser
Subsystem-sftp = internal://sftp-server

In this example for setting up chroot by group, the group is named wheel:

## Chrooted environment
ChrootSftpGroups = wheel
Subsystem-sftp = internal://sftp-server

Note the following:

    • The Subsystem-sftp default setting is correct and is required to use chroot.
    • The user and group names are regular expressions, so you can use settings like:
ChrootSftpUsers = admin.*
ChrootSftpGroups = .*dev.*
  1. Stop the sshd2 daemon:
cat /var/run/sshd2_22.pid
6611
kill -9 6611

  1. Restart the ssh server process (sshd2) to force the reloading of the config files:
/opt/ssh2/sbin/sshd2

If you are unable to locate the sshd2 file, use the UNIX find command.

In Reflection for Secure IT 6.x or earlier:

  1. Under the Chrooted environment heading, define the users you want to chroot. Uncomment the line ChRootUsers and add your user(s) to the list. In this example, the user is named jailuser:
## Chrooted environment
ChRootUsers anonymous,ftp,guest,jailuser
  1. Under /etc/passwd, change the user's shell to the dummy shell. For example:
jailuser:x:1003:1::/export/home/jailuser:/opt/ssh2/bin/ssh-dummy-shell

The dummy shell file is often located in the /opt/ssh2/bin or /usr/bin directory. If you are unable to locate the ssh-dummy-shell file, use the UNIX find command.

Note: This is not supported in version 7.0 or higher.

  1. Stop the sshd2 daemon:
cat /var/run/sshd2_22.pid
6611
kill -9 6611

  1. Restart the ssh server process (sshd2) to force the reloading of the config files:
/opt/ssh2/sbin/sshd2

If you are unable to locate the sshd2 file, use the UNIX find command.

Related Technical Notes
1900 F-Secure SSH Technical Notes
1999 Reflection for Secure IT Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.