railsmachine / moonshine_ssh
- Source
- Commits
- Network (0)
- Issues (0)
- Downloads (0)
- Wiki (1)
- Graphs
-
Branch:
master
A Moonshine plugin providing secure SSH defaults and simple configuration management
| name | age | message | |
|---|---|---|---|
 |
README.rdoc | Tue Jul 07 11:33:55 -0700 2009 | |
 |
lib/ | Loading commit data...  |
|
| |
moonshine/ | Wed Apr 29 09:05:05 -0700 2009 | |
| |
spec/ | ||
| |
templates/ |
Moonshine_SSH
A plugin for Moonshine
This plugin provides a few security improvements for your default SSH configuration. It also gives you the ability to easily customize your settings. Browse through the sshd_config in the templates/ directory to see the available settings.
The new configuration file is tested before it’s used, so there’s less chance that you’ll accidentally lock yourself out.
Instructions
- script/plugin install git://github.com/railsmachine/moonshine_ssh.git
- Edit moonshine.yml to customize plugin settings if desired:
:ssh :port: 9022 :allow_users: - rob - rails - Include the plugin and recipe you in your manifest:
plugin :ssh recipe :ssh
SFTP-only users
OpenSSH supports chrooting users natively. You can create users who will be chrooted and only allowed to use SFTP (no console access) by adding the following to your moonshine.yml:
:ssh:
:sftponly: true
Then add this to your manifest:
plugin :ssh
recipe :ssh
This creates a user called sftponly with a randomized password. To allow access, you can manag authorized_keys through your manifest:
file '/home/sftponly/home/sftponly/.ssh/authorized_keys',
:ensure => :present,
:content => YOUR_SSH_PUBKEYS
Once connected via sftp, the user will be chrooted to /home/sftponly where they will only see a ‘home’ directory. The user can upload files to /home/sftponly. For a normal user, the uploaded files will be located at /home/sftponly/home/sftponly.
Advanced
For a more complicated example, we’ll consider a user called ‘rob’ who needs to upload files into a directory under the Rails application’s shared/ directory. Since he will be chrooted, he can’t have direct access to the directory. Also, the directory is owned by the rails group, so he’ll need to be a member of that. Finally, we don’t want to worry about public keys, so he’ll need a password.
In your moonshine.yml:
:ssh:
:sftponly:
:users:
:rob:
:groups: rails
:password: sooper_sekrit
In your manifest:
plugin :ssh
recipe :ssh
def mount_assets
file '/home/rob/home/rob/assets',
:ensure => :directory,
:owner => 'rob',
:require => file('/home/rob/home/rob')
mount '/home/rob/home/rob/assets',
:ensure => :mounted,
:device => "#{configuration[:deploy_to]}/shared/assets/",
:options => 'bind',
:fstype => :none,
:atboot => true,
:remounts => true,
:require => file('/home/rob/home/rob/assets')
end
recipe :mount_assets
Then deploy, and you’re done! The user’s /home/rob/assets directory is now actually the shared assets directory. Anything uploaded there will be available to the application automatically.
