• +86-135-5029-3426
  • sales@vinchin.com
logo

Vinchin Blog

Vinchin Blog Method of separating SSH and SFTP services on AIX

Method of separating SSH and SFTP services on AIX

2021-06-21

The SFTP service, or SSH File Transfer Protocol, is a secure file transfer protocol, and its syntax is basically the same as that of ftp. The SFTP service is a sub-service implemented based on SSH, which must rely on SSH in essence. By default, there is no independent sftp service process. But it can be slightly customized based on the SSH configuration rules to generate an independent SFTP service.


1. Copy sshd program to generate sftpd program

You can directly copy sshd to generate sftpd binary program:


#cp /usr/sbin/sshd /usr/sbin/sftpd

2. Generate sftpd service based on sshd service

#**lssrc -S -s sshd**


#subsysname:synonym:cmdargs:path:uid:auditid:standin:standout:standerr:action:multi:contact:svrkey:svrmtype:priority:signorm:sigforce:display:waittime:grpname:


sshd::-D:/usr/sbin/sshd:0:0:/dev/console:/dev/console:/dev/console:-R:-Q:-S:0:0:20:15:9 :-d:20:ssh:

# **mkssys -p "/usr/sbin/sftpd" -s sftpd -u 0 -a "-D -f /etc/ssh/sftpd_config" -e /dev/console -i /dev/console -o /dev /console -R -Q -S -f 9 -n 15 -E 20 -G sftp -d -w 20**


0513-071 The sftpd Subsystem has been added.

Obtain /etc/ssh/sftpd_config based on the copy of /etc/ssh/sshd_config:


# cp /etc/ssh/sshd_config /etc/ssh/sftpd_config

Edit /etc/ssh/sftpd_config and change the port from the default 22 to the given value (the example here is 2222, and the sftp service port will be 2222 from now on):


Port 2222


#AddressFamily any


#ListenAddress 0.0.0.0


#ListenAddress ::


# **lssrc -S -s sftpd**

#subsysname:synonym:cmdargs:path:uid:auditid:standin:standout:standerr:action:multi:contact:svrkey:svrmtype:priority:signorm:sigforce:display:waittime:grpname:


sftpd::-D -f /etc/ssh/sftpd_config:/usr/sbin/sftpd:0:0:/dev/console:/dev/console:/dev/console:-R:-Q:-S:0 :0:20:15:9:-d:20:sftp:

You can obtain ODM attributes for further comparison, as follows:


#odmget -q subsysname=sshd SRCsubsys


#odmget -q subsysname=sftpd SRCsubsys

3. Set sftpd to start by default

In the same way, copy the boot script of sshd to generate the boot script of sftpd:


# cp /etc/rc.d/rc2.d/Ssshd /etc/rc.d/rc2.d/Ssftpd

Modify Ssftpd, the modified content is as follows:


# cat /etc/rc.d/rc2.d/Ssftpd


#!/bin/ksh

##############################################


# name: Ssftpd


# purpose: script that will start or stop the sftpd daemon.


##############################################

case "$1" in


start)


/usr/bin/startsrc -g sftp


;;


stop)


/usr/bin/stopsrc -g sftp


;;


*)


echo "Usage: $0 (start | stop)"


exit 1


esac

In the current environment, you can manually start the sftpd process with startsrc -g sftp, and the subsequent system will start the sftp service itself according to the Ssftpd script:


# **startsrc -g sftp**


0513-059 The sftpd Subsystem has been started. Subsystem PID is 13762668.


#

4. Appendix

For security audit considerations, after separating ssh and sftp, you can turn off the sftp service on the default port 22 of ssh. The method is as follows.


Edit the /etc/ssh/sshd_config file and comment out the sftp service:


# override default of no subsystems


#Subsystem sftp /usr/sbin/sftp-server

Test the connection to the sftp service on the specified port:


#sftp -o Port=2222 172.16.102.107

  • Tag:
  • Trending

Interested Blogs More

DOWNLOAD NOW YOU CAN ENJOY A 60-DAYS FULL-FEATURED FREE TRIAL !