[Discuss] Using sftp without a shell account - [SOLVED]

[bill at horne.net (Bill Horne)]

On 12/28/2014 8:58 PM, Bill Horne wrote:
> I'm setting up an LDAP-based server, which will be used for file 
> transfers among other things. I'd like to allow LDAP users to access 
> the machine via sftp, but I can't figure out how to do that without 
> giving each user a local shell account, and I'm looking for advice.
>
> The LDAP users can access ftp without trouble, but not sftp.
>
> It's a Mac Mini, running OS X "Yosemite", with Server v4.1.
>

Keywords: Solved Answered Fixed  Resolved

Here's the procedure to allow Open Directory users to have SFTP access 
without Shell Access on an OS X Yosemite Server. This was done on OS X 
10.10.1, with server version 4, which is the latest release as of 
December 2014.

If this breaks your machine, you get to keep all the pieces and chalk it 
up to experience and I'm not to blame. You've been warned.

The plan:

A. Some users will be placed in an "sftp-only" group.
B. The "sftp-only" members will be able to use sftp to access their 
"home" directories, and to create subdirectories, but they won't be able 
to write anything outside their home directory, and they will only have 
"read" access within a chroot jail that we will create for them.
C. Members of the "sftp-only" group will receive an error message if 
they try to use ssh (Secure Shell) to log in to the server.
D. The ftp server will be turned off, so that only sftp may be used to 
transfer files. All users will have sftp access, but users whom are NOT 
in the "sftp-only" group will also be able to
      use a secure shell.

Step-by-step procedure: you must have root privileges to create this new 
environment. That means your ID must be in the /etc/sudoers file: if you 
use the "sudo" command and get an error saying that your ID is not in 
the sudoers file, logout and login again with a different ID that has 
sudo privileges.

1. Decide on where you will put the new "root" directory that your SFTP 
users will use. I recommend that you create a new directory just under 
the root.

N.B. ALL the directories that are "above" your users' new root MUST be 
owned by the root user and writable ONLY by root! The "administrator" 
account will NOT work: you must sudo to create this new directory. I 
chose to use "ftp" as the directory name.

sudo mkdir -p /ftp/Users

(The above creates a new "ftp" directory under the root, and a "Users" 
directory under /ftp, if you don't already have one. This will be a 
"chroot jail" which will be the only part of the machine which  
sftp-only users will have access to.

2. Test to make sure the new directory is "read only" for all except root.

myserver:~ myusername$ ls -ld /ftp
drwxr-xr-x  4 root  wheel  136 Jan 11 00:08 /ftp

... and it looks good.

If your listing shows write permissions for "group" or "anyone", chmod 
the directory to 755: skip this step if the "ls" output shows it's not 
needed.

sudo chmod 755 /ftp    # sets /ftp so that only root has write permission.

If the listing does not show "root" as the directory owner, then use 
chmod: if the "ls" shows root already owns the directory, skip this step.

sudo chmod root /ftp

3. Copy the existing user's files into the new chroot jail directory: 
this assumes that your users have their home directories in /Users. The 
"-a" option will preserve the existing ownership and attributes: since 
the users will be switched to the "home" directory which is shown in 
their Open Directory profile, it's much easier to simply copy the whole 
/Users directory so that we don't have to change the OD entries. In 
other words, once the sftp daemon accepts a user's credentials, that 
user's "home" will be set to whatever is shown in OD, UNDER THE CHRROT 
ROOT (in this case, /ftp),

sudo cp -a /Users  /ftp/Users

4. Decide if you want to remove the sftp-only users' old "home" 
directories. I recommend that you leave them "as is" until the users 
have confirmed that they sill have all their files.

5. You MIGHT need to have a /dev/ file under /ftp for syslogd to get 
logging info. In my machine, there was no /dev/log, but there was a 
/dev/klog device, so I copied that to /ftp. I'm not sure if it's needed, 
but it doesn't hurt. If we were allowing shell access to users in the 
jail, we'd need to provide a shell and assorted other files, but the 
internal-sftp option doesn't require it.

sudo cp -a /dev/klog  /ftp

6. Edit the /etc/sshd_config file by adding the following lines:

Subsystem   sftp    internal-sftp

Match Group sftp-only
   X11Forwarding no
   AllowTcpForwarding no
   ForceCommand internal-sftp
   ChrootDirectory /ftp

N.B.: there is no "end-of-match" keyword. Be sure you leave whitespace 
at the beginning of each line that is part of the match.

Stop. Take a breath. Have a BOYC.

Now, the "gotcha": the sshd_config file is sensitive to CR/LF entries! 
If you are reading this on a Windoze machine and copying lines into OS X 
from there, it's a good idea to delete all the line-ends and separate 
the lines by hand while using a command-line type of editor under OS X.

7. Make a list of uses whose id's will be restricted to sftp access, and 
add their usernames to the sftp-only group.

8. HUP the sshd to reload the configs.

sudo kill -1 /etc/sbin/sshd        # If you are accessing the machine 
via ssh, this will kill your connection. Assuming your id is not in the 
sftp-only group, you'll be able to log back in.

9. Test all sftp-only users to make sure they are properly restricted. 
You should get an error when attempting ssh access, but sftp should 
start up in the user's directory under /ftp/Users.

Notes:

A. You COULD specify that the chroot jail started at /ftp/Users, instead 
of /ftp, but that closes off each user's home directory from read access 
by other sftp users. In my environment, the users want to be able to 
read each others home directories. I also wanted to be able to give 
users a common directory where they can put files that everyone needs 
access to, so I put the jail root at /ftp.

B. There are many other howto's available for this, and many of them 
recommend using  /usr/libexec/sftp-server instead of internal-sftp - but 
I never got that to work.

My thanks to everyone at the BLU for their help!

-- 
E. William Horne
339-364-8487