AIX SFTP Best Practices

SFTP is a functional part of SSH which replaces the behavior of FTP in a secure fashion. This is great on AIX for transferring files, batch job uploads and downloads, and much more secure using SSL on the wire and with a variety of authentication options.

Unfortunately when left in the default configuration, the SSH server on AIX allows all users to use SFTP to access any files on the system (subject to filesystem permissions). It's common to see my customers be surprised when an unprivileged application account can SFTP in with WINSCP and browse their entire systems.

Lockdown SFTP

The best alternative is to lockdown SFTP access to only specific accounts. The first step is to globally disable access to the SFTP service.

To do so we must change /etc/ssh/sshd_config to have SFTP subsystem setting disabled with /bin/false:

# Commented out to disable SFTP for all users
# Subsystem sftp /usr/sbin/sftp-server

# Fail all SFTP calls with false
Subsystem sftp /bin/false

Then disable the SFTP service executable:

chmod 000 /usr/sbin/sftp-server

If only the configuration file is changed, the user can login with a SSH command of /usr/sbin/sftp-server and access SFTP anyway! By removing all permissions on the executable we prevent any user from accessing it without deleting it. I recommend keeping it in a disabled state as this is a self documenting solution, and simply renaming it could still allow the bypass with the new filename.

Test and update your SSH configuration changes following the instructions on my other post AIX SSH Best Practices.

Once done, SFTP connections from tools like WinSCP 1 or the sftp command should disconnect instantly.

Selectively allow SFTP

We will create a group for SFTP users. Only those accounts in the group will be allowed to use SFTP, and those accounts will only allow SFTP. This is suitable for service and batch accounts as they should only be allowed to transfer files without running commands or obtaining a shell.

Administrative users like root are often more likely to use tools like scp or rsync than SFTP, so this should not impact day to day operations.

Let's make a dedicated group, and remember to check your group IDs:

mkgroup id=600 sftpuser

Then update /etc/ssh/sshd_config with a new Match directive at the end of the file:

Match Group sftpuser
  ChrootDirectory "%h"
  ForceCommand internal-sftp -u 0077

This group matching directive tells sshd to force the command on login to the internal SFTP server, allowing only SFTP access. While we disabled the sftp-server binary, there is an internal implementation that can be used.

The chroot directive says that the user may only SFTP files in their home directory (%h). This is very important so that the user can only see a limited number of files, instead of browsing the entire root filesystem! This may require /home to be owned by root instead of bin, however this has little impact in practice. The -u flag specifies the umask, 0077 is very strict.

Now you can assign new users to the sftpuser group as an additional group. I recommend using SSH keys for SFTP users, especially from outside vendors.


1

https://winscp.net/