Difference between pages "Ebuild Maintainer list" and "SFTP Only Access"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
As we would like to keep track of who is responsible and how we could contact him it would be nice to have you subscribed in the following list with the ebuild and your data to contact you.
+
= Context =
  
{| border="2" cellpadding="4" cellspacing="0" style="width:75%; margin:1em 1em 1em 0; background:#fafafa; border:1px #aaa solid; border-collapse:collapse; font-size:95%; caption-side:bottom;"
+
In some cases, it can be useful to set up an access on your Funtoo box such as a user:
|-
+
* does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
! !! ebuild !! Name !! IRC Contact !! Wiki User !! Other Contact
+
* is able to transfer files back and forth on the box via SFTP
|-
+
* does not have access to a shell
! A
+
|-
+
| || app-misc/screenfetch || Ari Malinen || defer- || [[User:defer|defer]] || see user page
+
|-
+
! B
+
|-
+
| || x11-misc/bumblebee || Michael Ketslah || ZogG || [[User:ZogG|ZogG]] || see user page
+
|-
+
! C
+
|-
+
|
+
|-
+
! D
+
|-
+
|
+
|-
+
! E
+
|-
+
| || eclipse-sdk || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || eclipse-sdk-bin || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
! F
+
|-
+
| || x11-misc/fbmenugen || Sandy-Marko Knauer ||  knasan || [[User:knasan|knasan]] || see user page
+
|-
+
| || media-video/freeseer || Patrick McMunn || PaddyMac || [[User:PaddyMac|PaddyMac]] || see user page
+
|-
+
| || fribid || Edward Tjörnhammar || edwtjo || [[User:Edwtjo|Edwtjo]] || see user page
+
|-
+
! G
+
|-
+
|
+
|-
+
! H
+
|-
+
|
+
|-
+
! I
+
|-
+
|
+
|-
+
! J
+
|-
+
| || jsl || Jean-Francis Roy (ebuild from felicitus overlay) || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
! K
+
|-
+
|
+
|-
+
! L
+
|-
+
| || lucene-analyzers || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
! M
+
|-
+
| || minetest || Edward Tjörnhammar || edwtjo || [[User:Edwtjo|Edwtjo]] || see user page
+
|-
+
| || safecopy || Markus Maiwald || mmatk || [[User:Mmatk|Mmatk]] || see user page
+
|-
+
| || media-gfx/makehuman || Sandy-Marko Knauer || knasan || [[User:Knasan|Knasan]] || see user page
+
|-
+
! N
+
|-
+
|
+
|-
+
! O
+
|-
+
| || oblogout || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || oxygen-fonts || Rafael Fernández López || ereslibre || [[User:Ereslibre|Ereslibre]] || see user page
+
|-
+
! P
+
|-
+
| || palm-novacom || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || pyroom || Martin Scholz || golodhrim || [[User:Golodhrim|Golodhrim]] || see Bio
+
|-
+
! Q
+
|-
+
! R
+
|-
+
| || media-sound/renoise || Ari Malinen || defer- || [[User:defer|defer]] || see user page
+
  
|-
+
Such a SFTP only access is easy to setup:
| || media-sound/renoise-demo || Ari Malinen || defer- || [[User:defer|defer]] || see user page
+
|-
+
! S
+
|-
+
| || splash-themes-funtoo || ryo || ryo || [[User:ryo|Ryo]] || see user page
+
|-
+
| || shogun || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || media-libs/silly || Patrick McMunn || PaddyMac || [[User:PaddyMac|PaddyMac]] || see user page
+
|-
+
| || spotify || Rafael Fernández López || ereslibre || [[User:Ereslibre|Ereslibre]] || see user page
+
|-
+
| || sublime-text || Rafael Fernández López || ereslibre || [[User:Ereslibre|Ereslibre]] || see user page
+
|-
+
| || www-client/surf || Ari Malinen || defer- || [[User:defer|defer]] || see user page
+
|-
+
| || svmlight || Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || sensors-lxpanel-plugin || Mike Johnson || sputnik_too_ || [[User:sputnik|sputnik]] || see user page
+
|-
+
! T
+
|-
+
| || theano|| Jean-Francis Roy || jeanfrancis || [[User:Jeanfrancis|JeanFrancis]] || see user page
+
|-
+
| || thinkfan || Rafael Fernández López || ereslibre || [[User:Ereslibre|Ereslibre]] || see user page
+
|-
+
| || traGtor || Kai Korla || balticer || [[User:balticer|balticer]] || see user page
+
|-
+
! U
+
|-
+
! V
+
|-
+
! W
+
|-
+
! X
+
|-
+
| || xfce-base/xfwm4 || Roman v. Gemmeren || strowi || [[User:strowi|strowi]] || see user page
+
|-
+
! Y
+
|-
+
! Z
+
|}
+
  
[[Category:Development]]
+
# Assign a group (e.g. ''sftponly'') to users that must be restricted to a SFTP-only account
 +
# Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
 +
# Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)
 +
 
 +
= Quick start =
 +
 
 +
First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:
 +
 
 +
<pre>
 +
# groupadd sftponly
 +
</pre>
 +
 
 +
Next in the configuration of OpenSSH (located in '''/etc/sshd/sshd_config''') locate:
 +
 
 +
<pre>
 +
Subsystem      sftp    /usr/lib64/misc/sftp-server
 +
</pre>
 +
 
 +
and change it for:
 +
 
 +
<pre>
 +
Subsystem      sftp    internal-sftp
 +
</pre>
 +
 
 +
Now the $100 question: ''"how can OpenSSH can be told to restrict a user access to a simple sftp session?"'' Simple! Assuming that ''sftponly'' is the group you use for for your restricted users, just add to the file '''/etc/sshd/sshd_config''' the following statement:
 +
 
 +
<pre>
 +
# Restricted users, no TCP connexions bouncing, no X tunneling.
 +
Match group sftponly
 +
        ChrootDirectory /home/%u
 +
        X11Forwarding no
 +
        AllowTcpForwarding no
 +
        ForceCommand internal-sftp
 +
</pre>
 +
 
 +
To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:
 +
* a shell => ssh login@host
 +
* a kind of dedicated ftp daemon (sftp-server) => sftp user@host
 +
 
 +
TBC
 +
 
 +
[[Category:HOWTO]]

Revision as of 16:50, 30 August 2011

Context

In some cases, it can be useful to set up an access on your Funtoo box such as a user:

  • does not see the whole contents of the machine but, instead, remains "jailed" in a home directory
  • is able to transfer files back and forth on the box via SFTP
  • does not have access to a shell

Such a SFTP only access is easy to setup:

  1. Assign a group (e.g. sftponly) to users that must be restricted to a SFTP-only account
  2. Change a bit the configuration of OpenSSH so that users belonging to your sftp-only group are given a chrooted access
  3. Make OpenSSH ignore any other command than running sftp-server on the server side for users belonging to your sftp-only group (this is where the trick lies !)

Quick start

First, a dedicated group must be created. For the sake of the example we use sftponly here, use whatever name fits your preferences:

# groupadd sftponly

Next in the configuration of OpenSSH (located in /etc/sshd/sshd_config) locate:

Subsystem      sftp    /usr/lib64/misc/sftp-server

and change it for:

Subsystem      sftp    internal-sftp

Now the $100 question: "how can OpenSSH can be told to restrict a user access to a simple sftp session?" Simple! Assuming that sftponly is the group you use for for your restricted users, just add to the file /etc/sshd/sshd_config the following statement:

# Restricted users, no TCP connexions bouncing, no X tunneling.
Match group sftponly
        ChrootDirectory /home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

To understand how it works, you must be aware that, when you open an SSH session, the SSHD process launch a process on the server side which could be:

  • a shell => ssh login@host
  • a kind of dedicated ftp daemon (sftp-server) => sftp user@host

TBC