Script to configure chrooted sftp-only users.

1.      - SFTP User Home Folder Permission has to be 755 (Users can’t see another user’s directories anyway)

2.       -  SFTP Users will have no shell (Linux server) access (as it’s not allowed with chroot sftp environment) so  it’s better to set default user (sftp user) shell to /bin/false for security reasons.

3.      -  SFTP Group shouldn’t be added later (better to use only one group for all sftp users) because it would require a restart of sshd daemon, we should not do it once moved to Production. Also, there would be no use of having multiple groups for chrooted sftp user as they can’t access any other directory (other then their chrooted work directory) in any way.

4.       -Users (Not the SFTP Users) with shell access (ie.Hadoop Team) should have sudo permissions to see all the /chroots/ folder (as they are working on all the files)

Following is the script to configure sftp-only users.

#!/bin/bash

#sftponly_user_creation.sh

: ${1?

"Kindly Specify User That You Wish To Add As CHROOTED SFTPONLY User! Script Usage: $0 "

}

GRP=sdp

FUSER=$1

if ! id $FUSER

        then

        echo "NO USER $FUSER FOUND. CREATING IT......"

        useradd -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER

        else

        usermod -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER

fi

mkdir -p /chroots/$FUSER

chmod -R 755 /chroots/$FUSER

mkdir /chroots/$FUSER/work

chown root:root  /chroots/$FUSER

chown $FUSER:$GRP /chroots/$FUSER/work

passwd $FUSER

chage -d 0 $FUSER

#End of script

User, group and password syncing script for SFTP servers

Following is the script which can be used to sync users between SFTP systems. We can cron it (running every 30 Minutes). This script can run from any server (ie we can name it IPAserver) that can be used for user creation and password reset purposes. User HOME directories will be created automatically when users do their first login.

----------

#!/bin/bash

SFTP01= 172.28.56.10

SFTP02= 172.28.56.11

export DATE=$(date +%m%d%y%H%M%S)

ls -1  /etc/passwd /etc/group /etc/shadow /etc/gshadow |while read i

do           ssh $SFTP01  "cp $i $i.$DATE";

scp $i $SFTP01 :$i

                ssh $SFTP02  "cp $i $i.$DATE";

scp $i $SFTP02 :$i

done

FIND Command - File Deletion with exclusion specific extension

# cat non_csv_delete.sh

#!/bin/bash

for user in $(cat /sftp_users.txt)

        do find /home/$user/  -type f  ! -name "*.csv*" -a  -type f  ! -name  "*.CSV*"  -delete

done

How to set up SFTP to chroot only for specific users

https://access.redhat.com/solutions/20764

 SOLUTION VERIFIED - Updated March 2 2017 at 1:02 AM - 

English 

Environment

• Red Hat Enterprise Linux (RHEL) 6
• Red Hat Enterprise Linux (RHEL) 7

Issue

• How to set up sftp to chroot only for specific users
• How to set up sftp so that a user can't get out of their home directory, ensuring no other users are affected
• Preserve normal ssh/sftp functionality for most other users
• Support for sftp/scp account jails in openssh server
• I am facing problems for configuring sftp server and need assistance for the same.

Resolution

In order to allow ChrootDirectory functionality on a per-user basis, employ a conditionally-executed sshd configuration (using the "Match" keyword) in the sshd_config file.

This example will use a "Match" block based on group membership, but other criteria may used in a "Match" block to determine which users are restricted to the ChrootDirectory (see "man sshd_config" for more details).

NOTE :- The ownership of the root directory should be root:root and anything else will block chroot sftp access.

If its not root:root, then the below command should be executed for chroot-sftp operation :-

Raw

# chmod root:root /

1. Edit sshd_config
   • Comment the original Subsystem entry for sftp and replace it with a new entry:
   Raw

   #Subsystem      sftp    /usr/libexec/openssh/sftp-server
   Subsystem       sftp    internal-sftp
   

   • Add the following to the end of the /etc/ssh/sshd_config file.
   Raw

           Match Group sftponly
                   ChrootDirectory /chroots/%u
                   AllowTcpForwarding no
                   ForceCommand internal-sftp
                   X11Forwarding no
   

2. Create a new group to add sftp-only users to (users in this group will not have access to ssh/scp and sftp access will be limited to their chrooted environment.)
   Raw

   # groupadd sftponly
   

   NOTE: Persons not in this group can still log in to the host via ssh and otherwise interact with openssh normally.
3. Configure or create the accounts of any sftp-only users.  NOTE: the specified home directory is relative to the ChrootDirectory.
   Raw

   # usermod  -g sftponly -s /bin/false user  
   

   or
   Raw

   #useradd -d /myhome -M -g sftponly -s /bin/false user
   

   In case you newly create the "user", set its pasword
   Raw

   # passwd user
   

4. Create the user's chroot environment and configure directory permissions.  Ensure that this entire path is owned by root and only writable by root.
   Raw

   # mkdir -p /chroots/user ; chmod -R 755 /chroots/user
   

   NOTE: In this case, the chroot directory is set to /chroots/%u (%u is replaced by the username of that user) so that each user will have an individual chroot environment.
   Users will not be able to see other directories located beneath the root of their chrooted environment.
5. Create the user's actual home directory under the ChrootDirectory and chown it to the user and group created/used in Step 3 (above).
   Raw

   # mkdir /chroots/user/myhome ; chown user:sftponly /chroots/user/myhome
   

   NOTE: The permission of the user chroot directory that is, /chroots/user/myhome should be 0755.
6. Restart sshd.
   Repeat steps 3-5 for any additional users you wish to create or add to the sftponly group.

How to configure SFTP to prompt user to change password when user password is expired?

https://access.redhat.com/solutions/24758

nvironment

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6

Issue

• In a SFTP only server, after manually expiring the password, trying to login to SFTP will immediately disconnect the user. As the users do not have a shell, they are not prompted to change password at SFTP prompt as opposed to SSH login.

Resolution

• Once password for a user expires, then the user may be prompted to change his password at the next SFTP login by making the following changes in the ssh configuration file /etc/ssh/sshd_config:

Raw

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

• Then restart sshd service for the changes to take into effect. Now the user whose password has expired will be prompted to reset the password in the next SFTP login.

Root Cause

• ChallengeResponseAuthentication usually serves an equivalent role to password authentication, so you should eihter disable PasswordAuthentication or ChallengeResponseAuthentication.
• The ChallengeResponseAuthentication controls the support for the keyboard-interactive authentication scheme, where the client sends a repsonse to the challenge asked by the server, in this case the server responds back with the password prompt when you enable the ChallengeResponseAuthentication in sshd_config.

SFTP is not working using IPA Client

Edit the /etc/ssh/sshd_config and comment out this line - Subsystem sftp /usr/libexec/openssh/sftp-server Replace it with Subsystem sftp internal-sftp restart sshd service and try.

INSTALLING RED HAT SATELLITE SERVER 6.2 Rough notes

1)  Enabled Following Repos:
INSTALLING RED HAT SATELLITE SERVER 6.6

1) Enable S
subscription-manager repos --enable=rhel-7-server-rpms --enable=rhel-7-server-optional-rpms --enable=rhel-7-server-satellite-6.2-rpms --enable=rhel-server-rhscl-7-rpms










STEPS:
1) Take a snapshot
2) IP
3) DNS
4) Proxy configurations
5) snapshot
6) scripted install
7) If works fine then OK otherwise step by step install
8) create check points for better installation




hammer repository-set enable --organization "Smart" --product 'Red Hat Enterprise Linux Server' --basearch='x86_64' --releasever='7Server' --name 'Red Hat Enterprise Linux 7 Server (RPMs)'

#hammer repository-set enable --organization "Smart" --product 'Red Hat Enterprise Linux Server' --basearch='x86_64' --releasever='7Server' --name 'Red Hat Enterprise Linux 7 Server (Kickstart)'
#hammer repository-set enable --organization "Smart" --product 'Red Hat Enterprise Linux Server' --basearch='x86_64' --name 'Red Hat Satellite Tools 6.2 (for RHEL 7 Server) (RPMs)'

#hammer repository-set enable --organization "Smart" --product 'Red Hat Enterprise Linux Server' --basearch='x86_64' --name 'Red Hat Enterprise Linux 7 Server - RH Common RPMs x86_64 7Server'


hammer repository synchronize --async --organization "Smart" --product 'Red Hat Enterprise Linux Server'  --name 'Red Hat Enterprise Linux 7 Server Kickstart x86_64 7Server'
hammer repository synchronize --async --organization "Smart" --product 'Red Hat Enterprise Linux Server'  --name 'Red Hat Satellite Tools 6.2 for RHEL 7 Server RPMs x86_64'
hammer repository synchronize --async --organization "Smart" --product 'Red Hat Enterprise Linux Server'  --name 'Red Hat Enterprise Linux 7 Server RPMs x86_64 7Server'
hammer repository synchronize --async --organization "Smart" --product 'Red Hat Enterprise Linux Server'  --name 'Red Hat Enterprise Linux 7 Server - RH Common RPMs x86_64 7Server'



hammer content-view create --organization "Smart" --name 'RHEL7_ Base' --label rhel7_base --description 'Core Build for RHEL 7'

#hammer content-view add-repository --organization "Smart" --name 'RHEL7_Base' --product 'Red Hat Enterprise Linux Server' --repository 'Red Hat Enterprise Linux 7 Server RPMs x86_64 7Server'
#hammer content-view add-repository --organization "Default Organization" --name 'RHEL7_base' --product 'Red Hat Enterprise Linux Server' --repository 'Red Hat Satellite Tools 6.2 for RHEL 7 Server RPMs x86_64'

#hammer content-view add-repository --organization "Default Organization" --name 'RHEL7_base' --product 'Red Hat Enterprise Linux Server' --repository 'Red Hat Enterprise Linux 7 Server - RH Common RPMs x86_64 7Server'

#hammer content-view add-repository --organization "Default Organization" --name 'RHEL7_base' --product 'EPEL 3rd Party Packages'  --repository  'EPEL 7 - x86_64'







hammer lifecycle-environment create --organization "Smart" --description 'Development' --name 'DEV' --label development --prior Library
hammer lifecycle-environment create --organization "Smart" --description 'Production' --name 'PROD' --label production --prior 'DEV'



cat > .hammer/cli_config.yml <:foreman:
    :host: 'https://localhost/'
    :username: 'admin'
    :password: 'redhat'

EOF


------------------

try

yum update java

  245  hostnamectl set-hostname sp1lvlxset02.sdp
 echo 172.28.68.47 sp1lvlxset02.sdp sp1lvlxset02 >> /etc/hosts

  246  vi /etc/hosts
  247  ping sp1lvlxset02
  248  facter fqdn
  249  hostname
  250  hostname -f
  251  ping -c1 localhost
  252  ping -c1 `hostname -s`
  253  ping -c1 `hostname -f`
  254  cp /etc/httpd/conf.modules.d/xsendfile.conf  /etc/httpd/conf.d/
  255  ll /etc/httpd/conf.d/xsendfile.conf
  256  ll /etc/httpd/conf.modules.d/xsendfile.conf
  257  systemctl restart httpd
  258  ls -l /usr/share/tomcat/conf/keystore
  259  ll /etc/candlepin/certs/keystore
rpm -qa | grep java

satellite-installer --scenario satellite --foreman-initial-organization "Smart" --foreman-initial-location "SDP_MEYDAN_DC" --foreman-admin-username admin --foreman-admin-password HP1nvent --verbose --katello-proxy-url=http://proxy.server --katello-proxy-port=8080




  273   hostnamectl set-hostname sp1lvlxset02.sdp
  274  hostname -f
  275  facter fqdn
vi /etc/hosts
----

In case of a static IP address with no DNS, ensure /etc/hosts contains the FQDN hostname in the first position, for example:

Raw
192.168.1.1 satellite.example.com
-------
Note that if changing the hostname at this stage of deployment, first ensure that you can successfully run these pings:
Raw
ping -c1 localhost
ping -c1 `hostname -s` # my_system
ping -c1 `hostname -f` # my_system.domain.com

cp /etc/httpd/conf.modules.d/xsendfile.conf  /etc/httpd/conf.d/
Attempt to restart httpd:

systemctl restart httpd
--------------

Confirm ownership and permissions of the files below. Correct them as needed.
Raw
# ls -l /usr/share/tomcat/conf/keystore
lrwxrwxrwx. 1 tomcat foreman 25 Sep 11 18:12 /usr/share/tomcat/conf/keystore -> /etc/pki/katello/keystore

# ls -l /etc/pki/katello/keystore
-rw-r--r--. 1 root root 2954 Sep 11 18:12 /etc/pki/katello/keystore

# ls -l /etc/foreman-proxy/ssl_cert.pem
-rw-r--r--. 1 root root 5579 Sep 11 18:11 /etc/foreman-proxy/ssl_cert.pem

---------------------------




  276  satellite-installer --scenario satellite --foreman-initial-organization "Smart" --foreman-initial-location "SDP_MEYDAN_DC" --foreman-admin-username admin --foreman-admin-password HP1nvent  --verbose


satellite-installer --scenario satellite --upgrade --verbose


------------------------JAVA VERSION-----------
Workaround

Run:

Raw
# rpm -e java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64 java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64
# yum -y install java-1.7.0-openjdk
# alternatives --config java
Then pick the number next to 1.7.0 and re-run the installer.
Root Cause

The default version of java installed with RHEL 6.6 does not work with Red Hat Satellite 6.
Diagnostic Steps

Check the version of java installed and verify it's not 1.8:

Raw
# rpm -qa | grep java


------------

Resolution

To fix this issue can you please run below commands:
Raw
# foreman-rake console
irb(main):001:0> Host.find_by_name("client1.example.com").interfaces=[]
Re-run the same upgrade command again to complete the satellite upgrade process.
Root Cause

From output of Host.find_by_name, it seems that the network interface set to the system has subnet set as blank.
Raw
irb(main):002:0> Nic::Managed.where(:host_id => Host.find_by_name('client1.example.com'), :primary => true, :provision => true)
=> #]>
irb(main):003:0>
----------





katello-installer --katello-proxy-url=http://myproxy.example.com --katello-proxy-port=8080 --katello-proxy-username=proxy_username --katello-proxy-password=proxy_password
  277  facter fqdn
  278  'hostname -f
  279  hostname -f
  280   hostnamectl set-hostname SP1LVLXSET02.sdp
  281  hostname -f
  282  facter fqdn


Resolution

Change the specified proxy username to one that does not include the domain or '\' special character.
Note: prior to re-running the Satellite installer, ensure that any bash proxy definitions are cleared :

Raw
# export http_proxy=""
# export https_proxy=$http_proxy
# export no_proxy=$http_proxy



[root@sp1lvlxset02 ~]#  satellite-installer --scenario satellite --foreman-initial-organization "Smart" --foreman-initial-location "SDP_MEYDAN_DC" --foreman-admin-username admin --foreman-admin-password HP1nvent
Installing             --- /etc/foreman-proxy/settings.d/pulpnode.ymlens201 [99%] [.................................................................................................................  /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: Failed to call refresh: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
 /Stage[main]/Foreman::Database/Foreman::Rake[db:seed]/Exec[foreman-rake-db:seed]: /usr/sbin/foreman-rake db:seed returned 1 instead of one of [0]
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sp1lvlxset02.sdp]: Could not evaluate: Proxy sp1lvlxset02.sdp cannot be registered (Could not load data from https://sp1lvlxset02.sdp.smart.ae
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sp1lvlxset02.sdp]: Failed to call refresh: Proxy sp1lvlxset02.sdp.smart.ae cannot be registered (Could not load data from https://sp1lvlxset02.sdp.smart.ae
 /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[sp1lvlxset02.sdp]: Proxy sp1lvlxset02.sdp.smart.ae cannot be registered (Could not load data from https://sp1lvlxset02.sdp.smart.ae
Installing             Done                                               [100%] [.................................................................................................................]
  Something went wrong! Check the log for ERROR-level output
  The full log is at /var/log/foreman-installer/satellite.log




  283  grep -r SP1LVLXSET02 /
  284  grep -r SP1LVLXSET02 / 2> /dev/null
  285  facter fqdn
  286  vi /root/.hammer/cli_config.yml
  287  facter fqdn
  288  hostname -f
  289  grep -r SP1LVLXSET02 / 2> /dev/null
  290  yum -y install satellite foreman-proxy
  291  hostname set-hostname sp1lvlxset02.sdp
  292  hostnamectl set-hostname sp1lvlxset02.sdp
  293  hostname
  294  echo $HOSTNAME
  295  cat .bash_profile
  296  cat /.bashrc
  297  cat ~/.bashrc
  298  cat /etc/bashrc
  299  cat /etc/bashrc|grep -i host
  300  echo $HOSTNAME
  301  reboot
  302  history
  303  satellite-installer --scenario satellite --foreman-initial-organization "Smart" --foreman-initial-location "SDP_MEYDAN_DC" --foreman-admin-username admin --foreman-admin-password HP1nvent
  304  cat /etc/hosts
  305  echo 172.28.68.47 sp1lvlxset02.sdp  sp1lvlxset02 >> /etc/hosts
  306  vi /etc/hosts
  307  ip r s
  308  satellite-installer --scenario satellite --foreman-initial-organization "Smart" --foreman-initial-location "SDP_MEYDAN_DC" --foreman-admin-username admin --foreman-admin-password HP1nvent
  309  history

--------------