SFTP is a functional part of SSH which replaces the behavior of FTP in a secure fashion. This is great on AIX for transferring files, batch job uploads and downloads, and much more secure using SSL on the wire and with a variety of authentication options.
Unfortunately when left in the default configuration, the SSH server on AIX allows all users to use SFTP to access any files on the system (subject to filesystem permissions). It's common to see my customers be surprised when an unprivileged application account can SFTP in with WINSCP and browse the entire systems.
The best alternative is to lockdown SFTP access to only specific accounts. The first step is to globally disable access to the SFTP service.
To do so we must change
/etc/ssh/sshd_config to have SFTP
subsystem setting disabled with
# Commented out to disable SFTP for all users # Subsystem sftp /usr/sbin/sftp-server # Fail all SFTP calls with false Subsystem sftp /bin/false
Then disable the SFTP service executable:
chmod 000 /usr/sbin/sftp-server
If only the configuration file is changed, the user can login with a
SSH command of
/usr/sbin/sftp-server and access SFTP anyway! By
removing all permissions on the executable we prevent any user from
accessing it without deleting it. I recommend keeping it in a disabled
state as this is a self documenting solution, and simply renaming it
could still allow the bypass with the new filename.
Test and update your SSH configuration changes following the instructions on my other post AIX SSH Best Practices.
Once done, SFTP connections from tools like WinSCP 1 or the
sftp command should disconnect instantly.
Selectively allow SFTP
We will create a group for SFTP users. Only those accounts in the group will be allowed to use SFTP, and those accounts will only allow SFTP. This is suitable for service and batch accounts as they should only be allowed to transfer files without running commands or obtaining a shell.
Administrative users like
root are often more likely to use tools
rsync than SFTP, so this should not impact day to
Let's make a dedicated group, and remember to check your group IDs:
mkgroup id=600 sftpuser
/etc/ssh/sshd_config with a new Match directive at the
end of the file:
Match Group sftpuser ChrootDirectory "%h" ForceCommand internal-sftp -u 0077
This group matching directive tells
sshd to force the command on
login to the internal SFTP server, allowing only SFTP access. While we
sftp-server binary, there is an internal
implementation that can be used.
The chroot directive says that the user may only SFTP files in their
home directory (%h). This is very important so that the user can only
see a limited number of files, instead of browsing the entire root
filesystem! This may require
/home to be owned by
bin, however this has little impact in practice. The
-u flag specifies the umask, 0077 is very strict.
Now you can assign new users to the
sftpuser group as an
additional group. I recommend using SSH keys for SFTP users,
especially from outside vendors.