User Tools

Site Tools


sto3_sftp

SFTP

We can provide SFTP access for external users (partners) to download/upload files. Best is to create a normal user via the provided scripts User administration, and modify the bash of this user to mysecureshell. The goal of MySecureShell is to offer the power and security of OpenSSH, with enhanced features (like ACL) to restrict connected users. For more documentation see https://mysecureshell.readthedocs.io/en/latest/. To modify the assigned shell of a created user (bash) , you can use smbldap-usermod. Example:

root@sto3:~# smbldap-usermod -s /usr/bin/mysecureshell xre
root@sto3:~# ldapsearch -x uid=xre loginShell
# extended LDIF
#
# LDAPv3
# base <dc=visielab,dc=be> (default) with scope subtree
# filter: uid=xre
# requesting: loginShell 
#

# xre, People, visielab.be
dn: uid=xre,ou=People,dc=visielab,dc=be
loginShell: /usr/bin/mysecureshell

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The configuration of mysecureshell is located in the same directory as ssh , /etc/ssh/sftp_config. Don't forget to change some default values, e.g. the bandwidth limit for downloads is standaard 5k, which is quite low of course.

<Default>
        GlobalDownload          50m     #total speed download for all clients
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
        GlobalUpload            0       #total speed download for all clients (0 for unlimited)
#       Download                5k      #limit speed download for each connection
        Download                0       #limit speed download for each connection
        Upload                  0       #unlimit speed upload for each connection
        StayAtHome              true    #limit client to his home
        VirtualChroot           true    #fake a chroot to the home account
        LimitConnection         10      #max connection for the server sftp
        LimitConnectionByUser   3       #max connection for the account
        LimitConnectionByIP     3       #max connection by ip for the account
        Home                    /data/home/$USER        #overrite home of the user but if you want you can use
                                                #       environment variable (ie: Home /home/$USER)
        IdleTimeOut             5m      #(in second) deconnect client is idle too long time
        ResolveIP               true    #resolve ip to dns
#       IgnoreHidden            true    #treat all hidden files as if they don't exist
#       DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)
#       DirFakeGroup            true    #Hide real file/directory group (just change displayed permissions)
#       DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)
                                        #Add execution right for directory if read right is set
        HideNoAccess            true    #Hide file/directory which user has no access
#       MaxOpenFilesForUser     20      #limit user to open x files on same time
#       MaxWriteFilesForUser    10      #limit user to x upload on same time
#       MaxReadFilesForUser     10      #limit user to x download on same time
        DefaultRights           0640 0750       #Set default rights for new file and new directory
#       MinimumRights           0400 0700       #Set minimum rights for files and dirs

        ShowLinksAsLinks        false   #show links as their destinations
#       ConnectionMaxLife       1d      #limits connection lifetime to 1 day

#       Charset                 "ISO-8859-15"   #set charset of computer
</Default>

disable/lock/unlock a user

smbldap-usermod -L <username>

To enable this user again, you also have to set (or reset ) the password for that user

smbldap-usermod -U <username>
smbldap-usermod -P <username>
New password:
Retype new password:
sto3_sftp.txt · Last modified: 2018/06/11 13:51 by jpe