Skip to content

Solaris SFTP Containment Multiple Nodes

Previous post explaining SFTP containment: http://blog.ls-al.com/sftp-containment-solaris-10/

That solution does not work in a clustered environment. Since then I did also play with loop back (LOFS in Solaris) mounts to a NFS folder. That also works but it had issues being in the vfstab at boot time.

Below is my final solution:
- Since i am trying to avoid number of mounts I also used autofs in this case.
- Create a NFS share INTERFACES so we can share across multiple nodes.
- In order to not add more mounts I did this with autofs. If that does not work on bootup we can can just make a permanent /etc/vfstab mount.
- In our case the application use the following logical path so we need a soft link to our containment area. Soft link svcaccxfr -> /opt/interfaces/svcaccxfr/ in application tree.

Make direct automount
# grep direct /etc/auto_master
/- auto_direct -ro
# cat /etc/auto_direct
/opt/interfaces -rw,vers=3 10.2.13.35:/export/INTERFACES

# svcadm refresh autofs
# svcadm restart autofs

Ensure match in sshd correct folder
# tail -10 /etc/ssh/sshd_config
Match User svcxfr
ChrootDirectory /opt/interfaces/svcxfr
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -u 017 -l info

Folders and permissions
# cd /opt
# ls -l | grep interfaces
drwxr-xr-x 3 root root 3 Dec 21 14:12 interfaces
# cd interfaces/
# ls -l | grep svcxfr
drwxr-xr-x 3 root root 3 Dec 21 14:13 svcxfr
# ls -l | grep svcxfr/uploads
# cd svcxfr/
# ls -l | grep uploads
drwxrwxr-x 2 ebsppe_a ebsppe 3 Dec 21 14:50 uploads

Check soft link
# cd /apps/ebs11i/appltop/xxnp/11.5.0/interfaces
# ls -l | grep interfaces
lrwxrwxrwx 1 root root 26 Dec 21 14:14 svcxfr -> /opt/interfaces/svcxfr/

Test client
$ sftp svcxfr@server1
Password:
Connected to server1.
sftp> dir
uploads
sftp> cd uploads
sftp> put zfsrest_test1.py
Uploading zfsrest_test1.py to /uploads/zfsrest_test1.py
zfsrest_test1.py 100% 1934 1.9KB/s 00:00
sftp> exit

Can check sftp issues here.

For example sftp containment does not work if root does not own top levels.
# tail -f /var/log/authlog
Dec 21 14:49:48 server1 sshd[12790]: [ID 800047 auth.info] Accepted keyboard-interactive for svcxfr from 192.168.38.104 port 39788 ssh2
Dec 21 14:49:49 server1 sshd[12790]: [ID 800047 auth.info] subsystem request for sftp
Dec 21 14:50:04 server1 sshd[12790]: [ID 800047 auth.info] Received disconnect from 192.168.38.104: 11: disconnected by user

Published inSolarisSSH