Difference between pages "Talk:SAN Box used via iSCSI" and "SFTP Only Access"

(Difference between pages)
 
 
Line 1: Line 1:
* Explicit device-thresholds seems to be useless, Solaris powers down everything it can. Should try an explicit device-thresholds with system-threshold always-on.
+
= Context =
* Even with tpg defined, a target still listens on all NICs, but the port seems to taken into account....... Bug?
+
 
* Why format does protest with:
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
 +
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
 +
* is able to transfer files back and forth on the box via SFTP
 +
* does not have access to a shell
 +
 
 +
Such a SFTP only access is easy to setup:
 +
 
 +
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
 +
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
 +
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
 +
 
 +
= Quick start =
 +
 
 +
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 +
 
 
<pre>
 
<pre>
WARNING - This disk may be in use by an application that has
+
# groupadd sftponly
          modified the fdisk table. Ensure that this disk is
+
          not currently in use before proceeding to use fdisk
+
 
</pre>
 
</pre>
  
Thus requiring to manually create a partition with format -> fdisk before being partitioned? ZFS/COMSTAR bug? It does not seems to be a thin provisioning issue at first glance.
+
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
* What about 4k sector alignment required by new hard-drives? iSCSI is transparent for that?
+
  
 +
<pre>
 +
Subsystem      sftp    /usr/lib64/misc/sftp-server
 +
</pre>
  
----
+
and change it for:
 +
 
 +
<pre>
 +
Subsystem      sftp    internal-sftp
 +
</pre>
 +
 
 +
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
 +
 
 +
<pre>
 +
# Restricted users, no TCP connexions bouncing, no X tunneling.
 +
Match group sftponly
 +
        ChrootDirectory /home/%u
 +
        X11Forwarding no
 +
        AllowTcpForwarding no
 +
        ForceCommand internal-sftp
 +
</pre>
  
 +
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 +
* a shell => ssh login@host
 +
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
  
* device-thresholds: Solaris respects power savings requirements so yes if it can it will, my goald here was an attempt to control the delays. Some green drives ignore them.
+
TBC
* tpg: same here, the target listen for connections on all addresses... It sounds like a bug! Functional descriptions are not the same than the seen behaviours.
+
* I did't use fdisk I give the whole disk to eat to ZFS and it deals nicely with it (a GPT table is created automatically).
+
* 4k sectors:  Solaris seems to handle 4k sectors (at the condition the drive does not lie on the physical sector size). I would say that iSCSI should pay attention ("direct" access), impacts on an access through a zvol on a pool is still a very good question.
+
  
--404
+
[[Category:HOWTO]]

Revision as of 16:50, August 30, 2011

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it for:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

TBC