Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS

Jochen Bern Jochen.Bern at binect.de
Wed Sep 29 21:07:25 AEST 2021


On 29.09.21 11:54, Hildegard Meier wrote:
> ls -al /var/data/chroot/sftp_nagios/etc/
> total 6
> drwxr-xr-x+ 2 root root           3 Oct 31  2014 .
> drwxr-x---+ 6 root sftp_nagios    6 Sep 28 17:09 ..
> -rw-r--r--+ 1 root root        2309 Oct 31  2014 localtime

(Semi-off-topic suggestion:

> # ls -al ~binect/etc
> insgesamt 8
> drwx--x---. 2 root mandanten 31 26. Jan 2018  .
> drwxr-x---. 5 root mandanten 62  4. Nov 2019  ..
> -rw-r-----. 1 root mandanten 24 26. Jan 2018  group
> -rw-r-----. 1 root mandanten 90 26. Jan 2018  passwd

> # grep . ~binect/etc/*
> /home/chroot/binect/etc/group:root:x:0:
> /home/chroot/binect/etc/group:users:x:[GID of group "mandanten"]:
> /home/chroot/binect/etc/passwd:root:x:0:0:root:/:/usr/sbin/nologin
> /home/chroot/binect/etc/passwd:binect:x:[UID of "binect"]:[GID of "mandanten"]:Mandant binect:/:/usr/sbin/nologin

- just so that the user's "ls -l" output is more readable than listing 
raw UIDs and GIDs.)

> ls -al /var/data/chroot/sftp_nagios/.ssh/
> total 4
> dr-x------+ 2 sftp_nagios sftp_nagios   3 Sep 10 09:59 .
> drwxr-x---+ 6 root        sftp_nagios   6 Sep 28 17:09 ..
> -r--r-----+ 1 root        sftp_nagios 401 Sep 10 09:30 authorized_keys
> 
> (this is for public key auth, in the future this shall be moved out of the user's chroot dir structure as it is unwanted that the users can change/view that file)

Another suggestion:

> Match group mandanten
>         AuthorizedKeysCommand /usr/local/sbin/MKLookup
>         AuthorizedKeysCommandUser akcu


> # cat /usr/local/sbin/MKLookup
> #!/bin/sh
> 
> MAIN_FILE="/etc/mand/pubkeys"
> MASTER_FILE="/etc/mand/masterkeys"
> 
> MANDANT="$1"
> if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
>         # Unsupported characters in username. Refuse to work.
>         exit 0
> fi
> if [ -r "$MAIN_FILE" ]; then
>         grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
> fi
> if [ -r "$MASTER_FILE" ]; then
>         cat "$MASTER_FILE"
> fi
> exit 0


> # grep '^#binect#ssh-r.*Bern' /etc/mand/pubkeys | sed -e 's/ .* / ... /'
> #binect#ssh-rsa ... Jochen.Bern at Binect.de

(Making the entries' format so that they'd be *nonfunctional comments* 
if they'd ever be read as normal authorized_keys lines is an extra 
security precaution by paranoid /me ;-)

Regards,
-- 
Jochen Bern
Systemingenieur

T  +49 6151 9067-231
F  +49 6151 9067-290
E  jochen.bern at binect.de
W  www.binect.de


Binect GmbH
Robert-Koch-Str. 9
64331 Weiterstadt

Geschäftspost.Einfach.Digital.
Wir sind nach ISO/IEC 27001:2013 und 9001:2015 zertifiziert.
BMWi fördert digitale Lösungen für KMU.

Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210929/037b01ab/attachment.p7s>


More information about the openssh-unix-dev mailing list