BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Using sftp without a shell account - [SOLVED]
- Subject: [Discuss] Using sftp without a shell account - [SOLVED]
- From: bill at horne.net (Bill Horne)
- Date: Sat, 17 Jan 2015 16:44:19 -0500
- In-reply-to: <54A0B535.10507@horne.net>
- References: <54A0B535.10507@horne.net>
On 12/28/2014 8:58 PM, Bill Horne wrote: > I'm setting up an LDAP-based server, which will be used for file > transfers among other things. I'd like to allow LDAP users to access > the machine via sftp, but I can't figure out how to do that without > giving each user a local shell account, and I'm looking for advice. > > The LDAP users can access ftp without trouble, but not sftp. > > It's a Mac Mini, running OS X "Yosemite", with Server v4.1. > Keywords: Solved Answered Fixed Resolved Here's the procedure to allow Open Directory users to have SFTP access without Shell Access on an OS X Yosemite Server. This was done on OS X 10.10.1, with server version 4, which is the latest release as of December 2014. If this breaks your machine, you get to keep all the pieces and chalk it up to experience and I'm not to blame. You've been warned. The plan: A. Some users will be placed in an "sftp-only" group. B. The "sftp-only" members will be able to use sftp to access their "home" directories, and to create subdirectories, but they won't be able to write anything outside their home directory, and they will only have "read" access within a chroot jail that we will create for them. C. Members of the "sftp-only" group will receive an error message if they try to use ssh (Secure Shell) to log in to the server. D. The ftp server will be turned off, so that only sftp may be used to transfer files. All users will have sftp access, but users whom are NOT in the "sftp-only" group will also be able to use a secure shell. Step-by-step procedure: you must have root privileges to create this new environment. That means your ID must be in the /etc/sudoers file: if you use the "sudo" command and get an error saying that your ID is not in the sudoers file, logout and login again with a different ID that has sudo privileges. 1. Decide on where you will put the new "root" directory that your SFTP users will use. I recommend that you create a new directory just under the root. N.B. ALL the directories that are "above" your users' new root MUST be owned by the root user and writable ONLY by root! The "administrator" account will NOT work: you must sudo to create this new directory. I chose to use "ftp" as the directory name. sudo mkdir -p /ftp/Users (The above creates a new "ftp" directory under the root, and a "Users" directory under /ftp, if you don't already have one. This will be a "chroot jail" which will be the only part of the machine which sftp-only users will have access to. 2. Test to make sure the new directory is "read only" for all except root. myserver:~ myusername$ ls -ld /ftp drwxr-xr-x 4 root wheel 136 Jan 11 00:08 /ftp ... and it looks good. If your listing shows write permissions for "group" or "anyone", chmod the directory to 755: skip this step if the "ls" output shows it's not needed. sudo chmod 755 /ftp # sets /ftp so that only root has write permission. If the listing does not show "root" as the directory owner, then use chmod: if the "ls" shows root already owns the directory, skip this step. sudo chmod root /ftp 3. Copy the existing user's files into the new chroot jail directory: this assumes that your users have their home directories in /Users. The "-a" option will preserve the existing ownership and attributes: since the users will be switched to the "home" directory which is shown in their Open Directory profile, it's much easier to simply copy the whole /Users directory so that we don't have to change the OD entries. In other words, once the sftp daemon accepts a user's credentials, that user's "home" will be set to whatever is shown in OD, UNDER THE CHRROT ROOT (in this case, /ftp), sudo cp -a /Users /ftp/Users 4. Decide if you want to remove the sftp-only users' old "home" directories. I recommend that you leave them "as is" until the users have confirmed that they sill have all their files. 5. You MIGHT need to have a /dev/ file under /ftp for syslogd to get logging info. In my machine, there was no /dev/log, but there was a /dev/klog device, so I copied that to /ftp. I'm not sure if it's needed, but it doesn't hurt. If we were allowing shell access to users in the jail, we'd need to provide a shell and assorted other files, but the internal-sftp option doesn't require it. sudo cp -a /dev/klog /ftp 6. Edit the /etc/sshd_config file by adding the following lines: Subsystem sftp internal-sftp Match Group sftp-only X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp ChrootDirectory /ftp N.B.: there is no "end-of-match" keyword. Be sure you leave whitespace at the beginning of each line that is part of the match. Stop. Take a breath. Have a BOYC. Now, the "gotcha": the sshd_config file is sensitive to CR/LF entries! If you are reading this on a Windoze machine and copying lines into OS X from there, it's a good idea to delete all the line-ends and separate the lines by hand while using a command-line type of editor under OS X. 7. Make a list of uses whose id's will be restricted to sftp access, and add their usernames to the sftp-only group. 8. HUP the sshd to reload the configs. sudo kill -1 /etc/sbin/sshd # If you are accessing the machine via ssh, this will kill your connection. Assuming your id is not in the sftp-only group, you'll be able to log back in. 9. Test all sftp-only users to make sure they are properly restricted. You should get an error when attempting ssh access, but sftp should start up in the user's directory under /ftp/Users. Notes: A. You COULD specify that the chroot jail started at /ftp/Users, instead of /ftp, but that closes off each user's home directory from read access by other sftp users. In my environment, the users want to be able to read each others home directories. I also wanted to be able to give users a common directory where they can put files that everyone needs access to, so I put the jail root at /ftp. B. There are many other howto's available for this, and many of them recommend using /usr/libexec/sftp-server instead of internal-sftp - but I never got that to work. My thanks to everyone at the BLU for their help! -- E. William Horne 339-364-8487
- Prev by Date: [Discuss] My first contribution to MediaWiki
- Next by Date: [Discuss] My first contribution to MediaWiki
- Previous by thread: [Discuss] My first contribution to MediaWiki
- Next by thread: [Discuss] Boston Linux Meeting reminder Wednesday, January 21, 2015 - Fotoxx Update
- Index(es):