I found an interesting fact recently. This is a combination of using AIX (confirmed on AIX 5.3 and 6.1, may affect 7.1 too) and the chroot functionality of openssh. The idea of course is to setup a user or group to be jailed to a specific directory with openssh. This can force them to use sftp only. The approach is:
Normal Setup:
* edit the /etc/security/login.cfg file: add a new entry to the valid list of shells:
/usr/bin/false (unless it is already there)
* create a new group for them. Let’s call it sftponly for simplicity.
* create your user(s) and add them to the sftponly group, specifying their default shell as /usr/bin/false
* Pick a directory for the user’s to be jailed in. For this example, we’ll use /chroot
* Modify your /etc/ssh/sshd_config file and make the changes for setting up the chroot for the group sftponly.
* Restart the sshd subsystem daemon
* Set password for the user(s) and clear the password change flag on login
vi /etc/security/login.cfg (if the shells = line doesn't have an entry for /usr/bin/false, add it and save and quit the file)
mkgroup sftponly
useradd -s /usr/bin/false -g sftponly -G sftponly user001
vi /etc/ssh/sshd_config
Add the following:
Match Group sftponly
ChrootDirectory /sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Subsystem sftp internal-sftp
Note the Subsystem line may already exist as: Subsystem sftp /usr/sbijn/sftp-server, so just comment that out and use the one above.
Refresh the sshd daemon so it will read the new configuration:
stopsrc -s sshd
startsrc -s sshd
Next, set a password for the users and clear the flag for resetting their password upon successful login.
passwd user001
pwdadm -c user001
Now the user’s should be able to login via sftp as expected. If you attempt to connect via ssh instead, the server will tell you it’s for sftp connections only and terminate your connection (as it should).
Unintended fallout:
If you make the user001 user a member of more than just sftponly group you will find a problem. The chroot functionality remains unaffected for sftp connections. However, if you attempt to connect to the server via ssh, it will not display any message. Additionally, it won’t can terminate your connection. It appears to be leaving half-open connections. In theory, this could cause a DOS operation against your server.