Monday, March 20, 2017

Script to configure chrooted sftp-only users.

1.      - SFTP User Home Folder Permission has to be 755 (Users can’t see another user’s directories anyway)
2.       -  SFTP Users will have no shell (Linux server) access (as it’s not allowed with chroot sftp environment) so  it’s better to set default user (sftp user) shell to /bin/false for security reasons.
3.      -  SFTP Group shouldn’t be added later (better to use only one group for all sftp users) because it would require a restart of sshd daemon, we should not do it once moved to Production. Also, there would be no use of having multiple groups for chrooted sftp user as they can’t access any other directory (other then their chrooted work directory) in any way.
4.       -Users (Not the SFTP Users) with shell access (ie.Hadoop Team) should have sudo permissions to see all the /chroots/ folder (as they are working on all the files)

Following is the script to configure sftp-only users.


#!/bin/bash
#sftponly_user_creation.sh

: ${1?


"Kindly Specify User That You Wish To Add As CHROOTED SFTPONLY User! Script Usage: $0 "

}

GRP=sdp
FUSER=$1

if ! id $FUSER
        then
        echo "NO USER $FUSER FOUND. CREATING IT......"
        useradd -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER
        else
        usermod -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER
fi

mkdir -p /chroots/$FUSER
chmod -R 755 /chroots/$FUSER
mkdir /chroots/$FUSER/work
chown root:root  /chroots/$FUSER
chown $FUSER:$GRP /chroots/$FUSER/work
passwd $FUSER
chage -d 0 $FUSER

#End of script

User, group and password syncing script for SFTP servers

Following is the script which can be used to sync users between SFTP systems. We can cron it (running every 30 Minutes). This script can run from any server (ie we can name it IPAserver) that can be used for user creation and password reset purposes. User HOME directories will be created automatically when users do their first login.
----------

#!/bin/bash
SFTP01= 172.28.56.10
SFTP02= 172.28.56.11
export DATE=$(date +%m%d%y%H%M%S)
ls -1  /etc/passwd /etc/group /etc/shadow /etc/gshadow |while read i
do           ssh $SFTP01  "cp $i $i.$DATE";
scp $i $SFTP01 :$i
                ssh $SFTP02  "cp $i $i.$DATE";
scp $i $SFTP02 :$i

done

FIND Command - File Deletion with exclusion specific extension

# cat non_csv_delete.sh
#!/bin/bash
for user in $(cat /sftp_users.txt)
        do find /home/$user/  -type f  ! -name "*.csv*" -a  -type f  ! -name  "*.CSV*"  -delete

done

How to set up SFTP to chroot only for specific users

https://access.redhat.com/solutions/20764


 SOLUTION VERIFIED - Updated  - 

Environment

  • Red Hat Enterprise Linux (RHEL) 6
  • Red Hat Enterprise Linux (RHEL) 7

Issue

  • How to set up sftp to chroot only for specific users
  • How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected
  • Preserve normal ssh/sftp functionality for most other users
  • Support for sftp/scp account jails in openssh server
  • I am facing problems for configuring sftp server and need assistance for the same.

Resolution

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the "Match" keyword) in the sshd_config file.
This example will use a "Match" block based on group membership, but other criteria may used in a "Match" block to determine which users are restricted to the ChrootDirectory (see "man sshd_config" for more details).
NOTE :- The ownership of the root directory should be root:root and anything else will block chroot sftp access.
If its not root:root, then the below command should be executed for chroot-sftp operation :-
# chmod root:root /
  1. Edit sshd_config
    • Comment the original Subsystem entry for sftp and replace it with a new entry:
    #Subsystem      sftp    /usr/libexec/openssh/sftp-server
    Subsystem       sftp    internal-sftp
    
    • Add the following to the end of the /etc/ssh/sshd_config file.
            Match Group sftponly
                    ChrootDirectory /chroots/%u
                    AllowTcpForwarding no
                    ForceCommand internal-sftp
                    X11Forwarding no
    
  2. Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)
    # groupadd sftponly
    
    NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.
  3. Configure or create the accounts of any sftp-only users.  NOTE: the specified home directory is relative to the ChrootDirectory.
    # usermod  -g sftponly -s /bin/false user  
    
    or
    #useradd -d /myhome -M -g sftponly -s /bin/false user
    
    In case you newly create the "user", set its pasword
    # passwd user
    
  4. Create the user's chroot environment and configure directory permissions.  Ensure that this entire path is owned by root and only writable by root.
    # mkdir -p /chroots/user ; chmod -R 755 /chroots/user
    
    NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.
    Users will not be able to see other directories located beneath the root of their chrooted environment.
  5. Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).
    # mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome
    
    NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.
  6. Restart sshd.
    Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

How to configure SFTP to prompt user to change password when user password is expired?


https://access.redhat.com/solutions/24758


nvironment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • In a SFTP only server, after manually expiring the password, trying to login to SFTP will immediately disconnect the user. As the users do not have a shell, they are not prompted to change password at SFTP prompt as opposed to SSH login.

Resolution

  • Once password for a user expires, then the user may be prompted to change his password at the next SFTP login by making the following changes in the ssh configuration file /etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
  • Then restart sshd service for the changes to take into effect. Now the user whose password has expired will be prompted to reset the password in the next SFTP login.

Root Cause

  • ChallengeResponseAuthentication usually serves an equivalent role to password authentication, so you should eihter disable PasswordAuthentication or ChallengeResponseAuthentication.
  • The ChallengeResponseAuthentication controls the support for the keyboard-interactive authentication scheme, where the client sends a repsonse to the challenge asked by the server, in this case the server responds back with the password prompt when you enable the ChallengeResponseAuthentication in sshd_config.

Sunday, March 19, 2017

SFTP is not working using IPA Client

Edit the /etc/ssh/sshd_config and comment out this line - Subsystem sftp /usr/libexec/openssh/sftp-server Replace it with Subsystem sftp internal-sftp restart sshd service and try.