railsmachine / moonshine_ssh

Description:	A Moonshine plugin providing secure SSH defaults and simple configuration management edit
Homepage:	edit
Public Clone URL:	git://github.com/railsmachine/moonshine_ssh.git Give this clone URL to anyone. `git clone git://github.com/railsmachine/moonshine_ssh.git`
Your Clone URL:	git@github.com:railsmachine/moonshine_ssh.git Use this clone URL yourself. `git clone git@github.com:railsmachine/moonshine_ssh.git`

super easy chrooted, sftp-only users

roblingle (author)

Tue Jul 07 11:33:55 -0700 2009

commit a761b37ab6c124f47346531891e189ef2fee336d
tree 26ff29f45e1bbe079dd5d685a6ccea7e753265b8
parent 2bcb4213149bbd8f73cd6ffadf4c9d7a96e010ac

moonshine_ssh /

name	age	history message
README.rdoc	Tue Jul 07 11:33:55 -0700 2009	super easy chrooted, sftp-only users [roblingle]
lib/	Tue Jul 07 11:33:55 -0700 2009	super easy chrooted, sftp-only users [roblingle]
moonshine/	Wed Apr 29 09:05:05 -0700 2009	initial [roblingle]
spec/	Tue Jul 07 11:33:55 -0700 2009	super easy chrooted, sftp-only users [roblingle]
templates/	Tue Jul 07 11:33:55 -0700 2009	super easy chrooted, sftp-only users [roblingle]

README.rdoc

Moonshine_SSH

A plugin for Moonshine

This plugin provides a few security improvements for your default SSH configuration. It also gives you the ability to easily customize your settings. Browse through the sshd_config in the templates/ directory to see the available settings.

The new configuration file is tested before it’s used, so there’s less chance that you’ll accidentally lock yourself out.

Instructions

script/plugin install git://github.com/railsmachine/moonshine_ssh.git

Edit moonshine.yml to customize plugin settings if desired:

  :ssh
    :port: 9022
    :allow_users:
      - rob
      - rails

Include the plugin and recipe you in your manifest:
```
  plugin :ssh
  recipe :ssh
```

SFTP-only users

OpenSSH supports chrooting users natively. You can create users who will be chrooted and only allowed to use SFTP (no console access) by adding the following to your moonshine.yml:

    :ssh:
      :sftponly: true

Then add this to your manifest:

    plugin :ssh
    recipe :ssh

This creates a user called sftponly with a randomized password. To allow access, you can manag authorized_keys through your manifest:

    file '/home/sftponly/home/sftponly/.ssh/authorized_keys',
      :ensure => :present,
      :content => YOUR_SSH_PUBKEYS

Once connected via sftp, the user will be chrooted to /home/sftponly where they will only see a ‘home’ directory. The user can upload files to /home/sftponly. For a normal user, the uploaded files will be located at /home/sftponly/home/sftponly.

Advanced

For a more complicated example, we’ll consider a user called ‘rob’ who needs to upload files into a directory under the Rails application’s shared/ directory. Since he will be chrooted, he can’t have direct access to the directory. Also, the directory is owned by the rails group, so he’ll need to be a member of that. Finally, we don’t want to worry about public keys, so he’ll need a password.

In your moonshine.yml:

    :ssh:
      :sftponly:
        :users:
          :rob:
            :groups: rails
            :password: sooper_sekrit

In your manifest:

    plugin :ssh
    recipe :ssh
    def mount_assets
      file '/home/rob/home/rob/assets',
        :ensure => :directory,
        :owner => 'rob',
        :require => file('/home/rob/home/rob')

      mount '/home/rob/home/rob/assets',
        :ensure => :mounted,
        :device => "#{configuration[:deploy_to]}/shared/assets/",
        :options => 'bind',
        :fstype => :none,
        :atboot => true,
        :remounts => true,
        :require => file('/home/rob/home/rob/assets')
    end
    recipe :mount_assets

Then deploy, and you’re done! The user’s /home/rob/assets directory is now actually the shared assets directory. Anything uploaded there will be available to the application automatically.