Difference between pages "Git local overlay" and "SFTP Only Access"

From Funtoo
(Difference between pages)
Jump to: navigation, search
(Create local overlay)
 
 
Line 1: Line 1:
Here is How To: Work with local overlay synchronized with your git repository.
+
= Context =
  
== Setup git local overlay ==
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
 +
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
 +
* is able to transfer files back and forth on the box via SFTP
 +
* does not have access to a shell
  
=== Create local overlay ===
+
Such a SFTP only access is easy to setup:
  
Create the necessary directory structure
+
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
<console>
+
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
###i## mkdir -p /usr/local/portage/profiles
+
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
###i## echo "$HOSTNAME" >> /usr/local/portage/profiles/repo_name
+
</console>
+
  
This enables access to /usr/local/portage
+
= Quick start =
for users in the portage group
+
<console>
+
###i## chown root:portage /usr/local/portage
+
</console>
+
  
Assign the portage group as default for newly created files in
+
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
<tt>/usr/local/portage</tt>
+
<console>
+
###i## chmod g+s /usr/local/portage
+
</console>
+
  
Enable users in the portage group to write to
+
<pre>
<tt>/usr/local/portage</tt>
+
# groupadd sftponly
<console>
+
</pre>
###i## chmod 775 /usr/local/portage
+
</console>
+
  
Edit /etc/portage/make.conf
+
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
<console>
+
###i## echo "PORTDIR_OVERLAY=/usr/local/portage" >> /etc/portage/make.conf
+
</console>
+
  
Create the relevant directory structure
+
<pre>
(I use the game rain-slick as example)
+
Subsystem      sftp    /usr/lib64/misc/sftp-server
<console>
+
</pre>
$ ##bl##mkdir -p /usr/local/portage/games-rpg/rain-slick
+
</console>
+
  
Copy the ebuild to your overlay
+
and change it for:
<console>
+
$ ##bl##cp rain-slick-1.5.ebuild /usr/local/portage/games-rpg/rain-slick
+
</console>
+
  
Issue the following commands to install rain-slick from your overlay
 
<console>
 
$ ##bl##cd /usr/local/portage/games-rpg/rain-slick
 
$ ##bl##ebuild rain-slick-1.5.ebuild digest
 
$ ##bl##su
 
###i## emerge rain-slick
 
</console>
 
 
=== Synchronize with git repository ===
 
 
If you are not related with git and ssh you can check [http://help.github.com/ this] GitHub manual.
 
If you have not git repository with local overlay yet you can assign it alike :
 
 
<pre>
 
<pre>
$ cd /usr/local/portage/
+
Subsystem      sftp    internal-sftp
$ git add /usr/local/portage/profiles/repo_name
+
$ git commit -m 'git init'
+
$ git remote add origin git@github.com:YourGitHubAccount/YourGitHubRepository.git
+
$ git push -u origin master
+
 
</pre>
 
</pre>
  
If you already have git overlay repository or want to use some you can assign it alike :
+
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
 +
 
 
<pre>
 
<pre>
$ cd /usr/local/portage/
+
# Restricted users, no TCP connexions bouncing, no X tunneling.
$ git init
+
Match group sftponly
$ git remote add origin git@github.com:YourGitHubAccount/YourGitHubRepository.git
+
        ChrootDirectory /home/%u
$ git fetch
+
        X11Forwarding no
$ git branch master origin/master
+
        AllowTcpForwarding no
$ git checkout master
+
        ForceCommand internal-sftp
 
</pre>
 
</pre>
 +
 +
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 +
* a shell => ssh login@host
 +
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
 +
 +
TBC
 +
 +
[[Category:HOWTO]]

Revision as of 16:50, 30 August 2011

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it for:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

TBC