AIX SFTP Best Practices
SFTP is a functional part of SSH which replaces the behavior of FTP in a secure fashion. This is great on AIX for transferring files, batch job uploads and downloads, and much more secure using SSL on the wire and with a variety of authentication options.
Unfortunately when left in the default configuration, the SSH server on AIX allows all users to use SFTP to access any files on the system (subject to filesystem permissions). It's common to see my customers be surprised when an unprivileged application account can SFTP in with WINSCP and browse their entire systems.
Lockdown SFTP
The best alternative is to lockdown SFTP access to only specific accounts. The first step is to globally disable access to the SFTP service.
To do so we must change /etc/ssh/sshd_config
to have SFTP
subsystem setting disabled with /bin/false
:
# Commented out to disable SFTP for all users # Subsystem sftp /usr/sbin/sftp-server # Fail all SFTP calls with false Subsystem sftp /bin/false
Then disable the SFTP service executable:
chmod 000 /usr/sbin/sftp-server
If only the configuration file is changed, the user can login with a
SSH command of /usr/sbin/sftp-server
and access SFTP anyway! By
removing all permissions on the executable we prevent any user from
accessing it without deleting it. I recommend keeping it in a disabled
state as this is a self documenting solution, and simply renaming it
could still allow the bypass with the new filename.
Test and update your SSH configuration changes following the instructions on my other post AIX SSH Best Practices.
Once done, SFTP connections from tools like WinSCP [1] or the
sftp
command should disconnect instantly.
Selectively allow SFTP
We will create a group for SFTP users. Only those accounts in the group will be allowed to use SFTP, and those accounts will only allow SFTP. This is suitable for service and batch accounts as they should only be allowed to transfer files without running commands or obtaining a shell.
Administrative users like root
are often more likely to use tools
like scp
or rsync
than SFTP, so this should not impact day to
day operations.
Let's make a dedicated group, and remember to check your group IDs:
mkgroup id=600 sftpuser
Then update /etc/ssh/sshd_config
with a new Match directive at the
end of the file:
Match Group sftpuser ChrootDirectory "%h" ForceCommand internal-sftp -u 0077
This group matching directive tells sshd
to force the command on
login to the internal SFTP server, allowing only SFTP access. While we
disabled the sftp-server
binary, there is an internal
implementation that can be used.
The chroot directive says that the user may only SFTP files in their
home directory (%h). This is very important so that the user can only
see a limited number of files, instead of browsing the entire root
filesystem! This may require /home
to be owned by root
instead of bin
, however this has little impact in practice. The
-u
flag specifies the umask, 0077 is very strict.
Now you can assign new users to the sftpuser
group as an
additional group. I recommend using SSH keys for SFTP users,
especially from outside vendors.