The Zone Manager: How to make zoned chroot sftp on Solaris

One of my favorite security features of Solaris zones is containment. By containment I mean that a service running in or user logged into the non-global zone cannot break out of the zone to get to the global zone or other non-global zones on the server.

One use case that I frequently encounter for which a non-global zone can be too much is the use case of providing a secure file transfer (sftp) account. By secure, I mean that access to the account is secured by SSL and also that the user cannot see or gain access to any other directories other than the user's home directory. Ideally, the secure file server should support many sftp user accounts such that none of the accounts can see or touch each other's data.

Creating a zone per user is certainly possible but a bit overkill. This blog post looks at how to combine zones with chroot sftp to add secure file server.

To setup a secure sftp file server, I used a combination of the following technologies.

Use the Zone Manager to add a hardened non-global zone
Use the OpenSSH and requisite packages from SunFreeware.com to enable chrooting of the sftp user accounts.
Use an installation script (installChrootSftpSvr) to automate the setup of OpenSSH.
Use a script (addsftpuser) to add sftp user accounts.

Here is a sample invocation of the Zone Manager that I used to add (-a add) a non-global whole root (-t w) networked (-I "192.168.0.10|e1000g0|24|z1") zone named z1 (-n z1), hardened the zone (-s jail) , read-only mounted /data (-r /data), and ran install script (-X /data/installChrootSftpSvr) within the zone.

# zonemgr -a add -F -t w -n z1 -I "192.168.0.10|e1000g0|24|z1" \
-s jail -r /data -X /data/installChrootSftpSvr

Once the Zone Manager completes setting up the zone, then I logged into the zone and added an sftp user.

# zlogin z1
# /data/addsftpuser.sh guest /export/guest "Guest User"
Run passwd guest to set the user's password.
# passwd guest
New Password:
Re-enter new Password:
passwd: password successfully changed for guest

Now that the sftp zone is up and running and the account has been created, I login to the sftp user account from the network and test looking into other directories.

$ sftp guest@192.168.0.10
Connecting to 192.168.0.10...
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
RSA key fingerprint is 61:1e:6f:3d:ac:4d:d3:5d:ab:c2:1c:d6:0e:da:c5:c1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.10' (RSA) to the list of known hosts.
guest@192.168.0.10's password:
sftp> pwd
Remote working directory: /
sftp> quit

Next, I test to see if I can connect to the account via ssh to obtain a shell.

$ ssh guest@192.168.0.10
guest@192.168.0.10's password:
This service allows sftp connections only.
Connection to 192.168.0.10 closed.