published on in IT scripting
tags: ssh web

Proof of Concept: Build my own Web Provider at home (II) – sshd

sshd

Secure Shell

The sshd daemon will be used to access the system. If we want to have multiple web instances, each one managed by different individuals, we’d usually think about setting up a FTP server and create virtual users (so we know they cannot log in). Or, we can use the SFTP subsystem, rely on the OS user management and also have Secure FTP only access to our system. Even more, we can create RSA keys for the users so they don’t need to worry about passwords. The main features of the setup would be:

  • We will grant only SFTP access to the UNIX accounts of the web instances, this way we will have a Secure FTP server that relies on the system accounts. No shell access will be granted to these users.
  • The access to the root user is disabled (we can allow forced commands to run rsync scripts)
  • The UNIX group sshusers defines the users that can access to a shell via ssh
  • The UNIX group sftpweb defines the users that will only access the system via SFTP (they cannot get a shell).This group contains all the users created to run the Web instances. In fact, they will only be able to access a particular directory (in this example this directory is /home/user/data, where the user will find his htdocs/ and logs/ directories of the web instance)
  • In the case that Public Key authentication is going to be used, make sure we manage the public keys, so the users cannot modify them.

Make sure the sshd daemon is installed on your system

apt-get install opensshd-server

Let’s have a look at the config file /etc/ssh/sshd_config. This file defines the settings for the sshd daemon (make a backup of your default sshd_config file, in case something goes wrong!):

#You can modify the default port if you want. Now very useful, really.
Port 22
#Only use prococol 2
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 20

#We want to allow root to execute some commands (rsycn) from other servers.
PermitRootLogin forced-commands-only

#Make sure the user's directory has the proper permissions
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

#You can force the users to authenticate only via keys
#Save the user keys into /etc/ssh/users/%u/authorized_keys where %u is the user name
#and set PasswordAuthentication no
#AuthorizedKeysFile     /etc/ssh/users/%u/authorized_keys

#Standard setup, modify to fix your needs:
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication no
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

#We only allow users of the sshusers grup to access the system
AllowGroups sshusers
UsePAM yes

#Here we define that users that belong to sftpweb can only access the secure-ftp subsystem
#Note we give them access to a subdirectory of their home dir and we do not let them do TCP
#forwarding, etc.
Subsystem sftp internal-sftp
Match Group sftpweb
  ChrootDirectory %h/data
  X11Forwarding no
  AllowAgentForwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

With this setup, the sshd daemon will be ready to prevent shell access to the users we add to both the sshusers and the sftpweb groups.Make sure you reload the sshd server to reflect the changes.

We will see in following entries how to create a user to have only SFTP access. As a small spoiler, 3 thins are needed:

  1. Create the user with the shell /bin/false
  2. Add the user to the sshusers and sftweb groups
  3. Make sure the directories above /home/user/data (including it) belong to root. This is necessary for the SFTP to set up the jail correctly. So yes, /home, /home/user and /home/user/data must belong to **root

**

As an example, we can create a user and test the setup:

groupadd sshusers
groupadd sftpweb

#Add any user you want to be able to access via ssh to the sshusers group
#Add any user you want to be restricted to sftp to both sshusers and sftpweb

#Let's create a test user:
useradd -G sshusers,sftpweb -c "Test SFTP user" -m -d /home/testsftpuser -s /bin/false testsftpuser
passwd testsftpuser
(...)
mkdir -p /home/testsftpuser/data
chown root /home/testsftpuser
chown root /home/testsftpuser/data
ssh testsftpuser@localhost
(Should fail...Permission denied)
sftp testsftpuser@localhost
(Should work...)
userdel testsftpuser

That user should not be able to access the system via ssh, but would be able to transfer files via SFTP into (and only into) the /home/testsftpuser/data directory. Once the tests have been completed, I’d suggest to remove that user.

There are multiple references on the web about this topic:

  1. http://ubuntuforums.org/showthread.php?t=858475
  2. http://www.debian-administration.org/articles/590

Previous:  The idea

Next:  Stunnel

comments powered by Disqus