One use case that I frequently encounter for which a non-global zone can be too much is the use case of providing a secure file transfer (sftp) account. By secure, I mean that access to the account is secured by SSL and also that the user cannot see or gain access to any other directories other than the user's home directory. Ideally, the secure file server should support many sftp user accounts such that none of the accounts can see or touch each other's data.
Creating a zone per user is certainly possible but a bit overkill. This blog post looks at how to combine zones with chroot sftp to add secure file server.
To setup a secure sftp file server, I used a combination of the following technologies.
- Use the Zone Manager to add a hardened non-global zone
- Use the OpenSSH and requisite packages from SunFreeware.com to enable chrooting of the sftp user accounts.
- Use an installation script () to automate the setup of OpenSSH.
- Use a script () to add sftp user accounts.
Here is a sample invocation of the Zone Manager that I used to add (-a add) a non-global whole root (-t w) networked (-I "192.168.0.10|e1000g0|24|z1") zone named z1 (-n z1), hardened the zone (-s jail) , read-only mounted /data (-r /data), and ran install script (-X /data/installChrootSftpSvr) within the zone.
# zonemgr -a add -F -t w -n z1 -I "192.168.0.10|e1000g0|24|z1" \
-s jail -r /data -X /data/installChrootSftpSvr
Once the Zone Manager completes setting up the zone, then I logged into the zone and added an sftp user.
# zlogin z1
# /data/addsftpuser.sh guest /export/guest "Guest User"
Run passwd guest to set the user's password.
# passwd guest
Re-enter new Password:
passwd: password successfully changed for guest
$ sftp firstname.lastname@example.org
Connecting to 192.168.0.10...
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
RSA key fingerprint is 61:1e:6f:3d:ac:4d:d3:5d:ab:c2:1c:d6:0e:da:c5:c1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
Remote working directory: /
Next, I test to see if I can connect to the account via ssh to obtain a shell.
$ ssh email@example.com
This service allows sftp connections only.
Connection to 192.168.0.10 closed.
For your reference, here are some useful resources that helped me to assemble my install script.
* HOWTO: chroot SFTP (only) - OpenSSH 4.9+ Built-in Version
* Installing OpenSSH Solaris 9 and 10 from SunFreeware.org
* Using TCP Wrappers
* openssh 5.1 chrootdirectory permissions issue
* Contributed Scripts for Running openssh vis SMF on Solaris 10 Systems
Have a great day!