Permit ONLY SFTP service on AIX 7.2 system
I'm trying to chroot jail SFTP service on AIX 7.2 system. What I mean is to allow users from 'sftpgrp' group to ONLY SFTP access. Authentication is through SSH KEys (no passwd). Also, no SSH login is allowed for users inside 'sftpgrp' group.
Until now SFTP chrooted is working properly, I mean, users in sftpgrp group access their chrooted HOME DIRECTORY without problem.
But, the problem is the problem is when theses users try to SSH (using Pub KEy) the same server, I this error:
/dev/pts/5: No such file or directory
open /dev/tty failed - could not set controlling tty: No such device
See part of debuged log from SSHD:
Thsi is sshd_config file.
Any idea how to block SSH login but at the same time permit SFTP for users inside 'sftpgrp' group?
Thanks
Until now SFTP chrooted is working properly, I mean, users in sftpgrp group access their chrooted HOME DIRECTORY without problem.
But, the problem is the problem is when theses users try to SSH (using Pub KEy) the same server, I this error:
/dev/pts/5: No such file or directory
open /dev/tty failed - could not set controlling tty: No such device
See part of debuged log from SSHD:
.
.
debug3: aix_restoreauthdb: restoring old registry ''
debug1: audit session open euid 0 user iga3 tty name /dev/pts/5
debug3: mm_request_send entering: type 26
debug3: mm_answer_pty: tty /dev/pts/5 ptyfd 6
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: Ignoring unsupported tty mode opcode 42 (0x2a)
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Forced command (config) 'internal-sftp -l INFO'
debug1: Values: options.num_allow_users: 0
debug1: RLOGIN VALUE :0
debug3: mm_audit_run_command entering command internal-sftp -l INFO
debug3: mm_request_send entering: type 57
/dev/pts/5: No such file or directory
open /dev/tty failed - could not set controlling tty: No such device
debug3: mm_request_receive entering
debug3: monitor_read: checking request 57
debug3: mm_answer_audit_command entering
debug1: audit run command euid 0 user iga3 command 'internal-sftp -l INFO'
.
.Thsi is sshd_config file.
Port 22
Protocol 2
MaxAuthTries 4
MaxSessions 10
IgnoreRhosts yes
PermitEmptyPasswords no
PrintMotd no
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
ClientAliveInterval 0
ClientAliveCountMax 7200
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Banner /etc/issue.net
Subsystem sftp internal-sftp -f LOCAL6 -l INFO
Match Group sftpgrp
ChrootDirectory /sftphome/%u
ForceCommand internal-sftp -l INFO
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication noAny idea how to block SSH login but at the same time permit SFTP for users inside 'sftpgrp' group?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please take into account that those users are chrooted!
Which way did you manage their access to the logging facility? Writes to syslog go via /dev/log which is unreachable from a chrooted environment. A workaround would be adding the socket file to the chrooted file structure, but unfortunately the AIX syslog config doesn't allow for specifying alternate sockets to read from (rsyslog can do it, by the way).
So what was your idea here?
Which way did you manage their access to the logging facility? Writes to syslog go via /dev/log which is unreachable from a chrooted environment. A workaround would be adding the socket file to the chrooted file structure, but unfortunately the AIX syslog config doesn't allow for specifying alternate sockets to read from (rsyslog can do it, by the way).
So what was your idea here?
ASKER
Perfect! Everything is working fine. See ya WMP!
ASKER
After comment out ForceCommand, it seems to be working as I want. When a user inside sftpgrp tries to SSH (using Keys), they get the 'Remote login for user YYY is not allowed', so SSHD closes session. But if teh same user open a SFTP connection, is't able to access chrooted HOME DIRECTORY.
But, I dont know why SFTP daemon only send LOGS for users outside 'sftpgrp' group? FOr example, if a user is not inside this group, SFTP logs shows information of what this user is doing:
Open in new window
But for users inside 'sftpgrp' it's not logging nothig. Seems some kind of permission.
let me make some tests again. 'll be back!
Thanks much!!