My chroot is working with the standard IBM sftp server using either:
a) Subsystem sftp internal-sftp
b) Subsystem sftp /usr/lib/ssh/sftp-server
With the (b) option I have duplicated the following files within my chroot folder:
/bin/sh
/dev/null
/dev/zero
/usr/lib/ssh/sftp-server
/usr/sbin/sshd
/etc/ (entire folder)
$HOME folder(s)
When I try the Co:Z sftp server, the login fails after entering the password. I am
guessing I need additional file(s) in my chroot folder for chroot'ed Co:Z sftp. Anyone have
an idea which additional files I may need? I have added these coz folders:
/u/local/coz/bin/ (entire folder)
/u/local/coz/loadmodules/ (entire folder)
Co:Z sftp is working fine without using chroot.
My syslogd sshd log file shows this at end:
Feb 26 16:05:13 MVS3/SSHELL SSHD8 sshdÝ16777578¨: debug3: safely_chroot: checking '/'
Feb 26 16:05:13 MVS3/SSHELL SSHD8 sshdÝ16777578¨: debug3: safely_chroot: checking '/home/'
Feb 26 16:05:13 MVS3/SSHELL SSHD8 sshdÝ16777578¨: debug3: safely_chroot: checking '/home/ssh'
Feb 26 16:05:13 MVS3/SSHELL SSHD6 sshdÝ16777569¨: debug3: monitor_read: checking request 58
Feb 26 16:05:13 MVS3/SSHELL SSHD6 sshdÝ16777569¨: debug3: mm_answer_term: tearing down sessions
/home/ssh is my chroot folder.
Co:Z SFTP with chroot
Re: Co:Z SFTP with chroot
Hi,
When you are using "internal-sftp" (which implies using IBM's default sftp-server), then ChrootDirectory isn't a "real" chroot (you don't need to setup a complete chroot directory).
If you want to use Co:Z SFTP server (subsystem sftp points to /coz-install/bin/sftp-server.sh), then you would need to configure a real chroot. I don't know if IBM z/OS supports chroot - I cannot find anywhere where the *required* system files are documented and I cannot find a statement of support. Even if IBM z/OS Unix supported chroot, I do not know if IBM Ported Tools z/OS will support chroot other than internal-sftp.
In any case, I don't like the implications of a real chroot environment when it comes to maintenance.
An alternative to chroot would be to use the CZCHKCMD exit (compatible with the IBM FTP FTCHKCMD exit) so that you prevent users from using anything but files under their home directory. One of our customers uses this exit to prevent users from using Unix files at all - only datasets. Another of our clients has an exit that makes SAF calls to check all command/file/dataset access (the same exit that they use for FTP). There are a couple of third-party vendor MFT products that work with both FTP and Co:Z SFTP that do the same.
Info on Co:Z SFTP exits can be found on our documentation page: http://dovetail.com/docs/coz/coz_index.html
If using an exit to filter access is something that you are interested in, we would be happy to help you write one if your company would be interested in signing up for a Enterprise License and Support agreement. Please contact me offline (info@dovetail.com)
When you are using "internal-sftp" (which implies using IBM's default sftp-server), then ChrootDirectory isn't a "real" chroot (you don't need to setup a complete chroot directory).
If you want to use Co:Z SFTP server (subsystem sftp points to /coz-install/bin/sftp-server.sh), then you would need to configure a real chroot. I don't know if IBM z/OS supports chroot - I cannot find anywhere where the *required* system files are documented and I cannot find a statement of support. Even if IBM z/OS Unix supported chroot, I do not know if IBM Ported Tools z/OS will support chroot other than internal-sftp.
In any case, I don't like the implications of a real chroot environment when it comes to maintenance.
An alternative to chroot would be to use the CZCHKCMD exit (compatible with the IBM FTP FTCHKCMD exit) so that you prevent users from using anything but files under their home directory. One of our customers uses this exit to prevent users from using Unix files at all - only datasets. Another of our clients has an exit that makes SAF calls to check all command/file/dataset access (the same exit that they use for FTP). There are a couple of third-party vendor MFT products that work with both FTP and Co:Z SFTP that do the same.
Info on Co:Z SFTP exits can be found on our documentation page: http://dovetail.com/docs/coz/coz_index.html
If using an exit to filter access is something that you are interested in, we would be happy to help you write one if your company would be interested in signing up for a Enterprise License and Support agreement. Please contact me offline (info@dovetail.com)
Re: Co:Z SFTP with chroot
I have it working now. A permissions issue on one file can fail the whole process. And access to z/OS files is available from the chroot jail environment.
Re: Co:Z SFTP with chroot
That's good news.
Would you mind posting a list of the system files/and permissions that you needed in your chroot jail?
Would you mind posting a list of the system files/and permissions that you needed in your chroot jail?
Re: Co:Z SFTP with chroot
Here is what I have now as viewed from the chroot psftp login.
The /bin modules are for ssh_prng_cmds entropy. I did modify
the ssh_prng_cmds a bit, but that is not required.
psftp> cd /
Remote directory is now /
psftp> dir
Listing directory /
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 2 SSHELL TTY 608 Mar 1 19:47 bin
drwxr-xr-x 2 SSHELL TTY 448 Mar 1 18:53 dev
drwxr-xr-x 6 SSHELL TTY 416 Mar 1 19:49 home
drwxr-xr-x 2 SSHELL TTY 288 Feb 27 17:02 tmp
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 u
drwxr-xr-x 3 SSHELL TTY 288 Mar 4 14:10 usr
psftp> dir bin
Listing directory /bin
drwxr-xr-x 2 SSHELL TTY 608 Mar 1 19:47 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
-rwxr-xr-x 1 SSHELL SYS1 90112 Sep 6 2010 date
-rwxr-xr-x 1 SSHELL SYS1 159744 Sep 6 2010 df
-rwxr-xr-x 1 SSHELL SYS1 86016 Sep 6 2010 echo
-rwxr-xr-x 1 SSHELL SYS1 151552 Sep 6 2010 fuser
-rwxr-xr-x 1 SSHELL SYS1 106496 Sep 6 2010 ipcs
-rwxr-xr-t 1 SSHELL SYS1 4096 Sep 6 2010 netstat
-rwxr-xr-x 1 SSHELL SYS1 196608 Sep 6 2010 ps
-rwxr-xr-t 1 SSHELL SYS1 1712128 Sep 10 12:02 sh
-rwxr-xr-x 1 SSHELL SYS1 155648 Sep 6 2010 tail
-rwxr-xr-x 1 SSHELL SYS1 126976 Sep 6 2010 who
psftp> dir dev
Listing directory /dev
drwxr-xr-x 2 SSHELL TTY 448 Mar 1 18:53 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
crwxrwxrwx 1 SSHELL TTY 0 Feb 27 15:17 console
crwxr-xr-x 1 SSHELL TTY 0 Mar 1 18:53 log
crw-rw-rw- 1 SSHELL TTY 0 Mar 1 16:09 null
crw-rw-rw- 1 SSHELL TTY 0 Feb 27 16:36 random
crw-rw-rw- 1 SSHELL TTY 0 Feb 27 16:36 urandom
crw-r--r-- 1 SSHELL TTY 0 Mar 1 16:09 zero
psftp> dir home
Listing directory /home
drwxr-xr-x 6 SSHELL TTY 416 Mar 1 19:49 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 3 10018 TTY 416 Mar 1 19:29 userid1
psftp> dir tmp
Listing directory /tmp
drwxr-xr-x 2 SSHELL TTY 288 Feb 27 17:02 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
psftp> dir u
Listing directory /u
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 local
psftp> dir u/local
Listing directory /u/local
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 .
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 ..
drwxr-xr-x 4 SSHELL TTY 448 Mar 1 19:58 coz
psftp> dir u/local/coz
Listing directory /u/local/coz
drwxr-xr-x 4 SSHELL TTY 448 Mar 1 19:58 .
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 ..
-rwxr-xr-x 1 SSHELL TTY 15347 Dec 18 20:12 LICENSE
-rwxr-xr-x 1 SSHELL TTY 16280 Dec 18 20:12 NOTICES
-rwxr-xr-x 1 SSHELL TTY 128 Dec 18 20:12 README
drwxr-xr-x 2 SSHELL TTY 1280 Feb 25 21:17 bin
drwxr-xr-x 2 SSHELL TTY 320 Feb 25 21:24 loadmodules
psftp> dir usr/lib/ssh
Listing directory /usr/lib/ssh
drwxr-xr-x 2 SSHELL TTY 288 Mar 4 14:11 .
drwxr-xr-x 3 SSHELL TTY 320 Mar 4 14:11 ..
-rwxr-xr-x 1 SSHELL SYS1 1077248 Sep 10 16:48 sftp-server
The /bin modules are for ssh_prng_cmds entropy. I did modify
the ssh_prng_cmds a bit, but that is not required.
psftp> cd /
Remote directory is now /
psftp> dir
Listing directory /
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 2 SSHELL TTY 608 Mar 1 19:47 bin
drwxr-xr-x 2 SSHELL TTY 448 Mar 1 18:53 dev
drwxr-xr-x 6 SSHELL TTY 416 Mar 1 19:49 home
drwxr-xr-x 2 SSHELL TTY 288 Feb 27 17:02 tmp
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 u
drwxr-xr-x 3 SSHELL TTY 288 Mar 4 14:10 usr
psftp> dir bin
Listing directory /bin
drwxr-xr-x 2 SSHELL TTY 608 Mar 1 19:47 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
-rwxr-xr-x 1 SSHELL SYS1 90112 Sep 6 2010 date
-rwxr-xr-x 1 SSHELL SYS1 159744 Sep 6 2010 df
-rwxr-xr-x 1 SSHELL SYS1 86016 Sep 6 2010 echo
-rwxr-xr-x 1 SSHELL SYS1 151552 Sep 6 2010 fuser
-rwxr-xr-x 1 SSHELL SYS1 106496 Sep 6 2010 ipcs
-rwxr-xr-t 1 SSHELL SYS1 4096 Sep 6 2010 netstat
-rwxr-xr-x 1 SSHELL SYS1 196608 Sep 6 2010 ps
-rwxr-xr-t 1 SSHELL SYS1 1712128 Sep 10 12:02 sh
-rwxr-xr-x 1 SSHELL SYS1 155648 Sep 6 2010 tail
-rwxr-xr-x 1 SSHELL SYS1 126976 Sep 6 2010 who
psftp> dir dev
Listing directory /dev
drwxr-xr-x 2 SSHELL TTY 448 Mar 1 18:53 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
crwxrwxrwx 1 SSHELL TTY 0 Feb 27 15:17 console
crwxr-xr-x 1 SSHELL TTY 0 Mar 1 18:53 log
crw-rw-rw- 1 SSHELL TTY 0 Mar 1 16:09 null
crw-rw-rw- 1 SSHELL TTY 0 Feb 27 16:36 random
crw-rw-rw- 1 SSHELL TTY 0 Feb 27 16:36 urandom
crw-r--r-- 1 SSHELL TTY 0 Mar 1 16:09 zero
psftp> dir home
Listing directory /home
drwxr-xr-x 6 SSHELL TTY 416 Mar 1 19:49 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 3 10018 TTY 416 Mar 1 19:29 userid1
psftp> dir tmp
Listing directory /tmp
drwxr-xr-x 2 SSHELL TTY 288 Feb 27 17:02 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
psftp> dir u
Listing directory /u
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 .
drwxr-xr-x 14 SSHELL TTY 704 Mar 1 20:03 ..
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 local
psftp> dir u/local
Listing directory /u/local
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 .
drwxr-xr-x 3 SSHELL TTY 352 Feb 25 21:01 ..
drwxr-xr-x 4 SSHELL TTY 448 Mar 1 19:58 coz
psftp> dir u/local/coz
Listing directory /u/local/coz
drwxr-xr-x 4 SSHELL TTY 448 Mar 1 19:58 .
drwxr-xr-x 5 SSHELL TTY 384 Mar 1 19:58 ..
-rwxr-xr-x 1 SSHELL TTY 15347 Dec 18 20:12 LICENSE
-rwxr-xr-x 1 SSHELL TTY 16280 Dec 18 20:12 NOTICES
-rwxr-xr-x 1 SSHELL TTY 128 Dec 18 20:12 README
drwxr-xr-x 2 SSHELL TTY 1280 Feb 25 21:17 bin
drwxr-xr-x 2 SSHELL TTY 320 Feb 25 21:24 loadmodules
psftp> dir usr/lib/ssh
Listing directory /usr/lib/ssh
drwxr-xr-x 2 SSHELL TTY 288 Mar 4 14:11 .
drwxr-xr-x 3 SSHELL TTY 320 Mar 4 14:11 ..
-rwxr-xr-x 1 SSHELL SYS1 1077248 Sep 10 16:48 sftp-server
Last edited by donaldj on Mon Mar 04, 2013 3:14 pm, edited 1 time in total.
Re: Co:Z SFTP with chroot
Thanks.
(BTW, if you have a crypto-coprocessor card, you could eliminate ssh-rand-helper)
(BTW, if you have a crypto-coprocessor card, you could eliminate ssh-rand-helper)