@@ -13,11 +13,76 @@ chance that you'll accidentally lock yourself out. === Instructions * <tt>script/plugin install git://github.com/railsmachine/moonshine_ssh.git</tt> -* Use <tt>configure</tt> to customize plugin settings if desired: - configure(:ssh => { - :port => '9022', - :allow_users => ['rob','rails'] - }) -* Include the plugin and recipe(s) you want to use in your Moonshine manifest. +* Edit moonshine.yml to customize plugin settings if desired: + :ssh + :port: 9022 + :allow_users: + - rob + - rails +* Include the plugin and recipe you in your manifest: plugin :ssh - recipe :ssh \ No newline at end of file + recipe :ssh + +=== SFTP-only users + +OpenSSH supports chrooting users natively. You can create users who will be chrooted +and only allowed to use SFTP (no console access) by adding the following to your +moonshine.yml: + + :ssh: + :sftponly: true + +Then add this to your manifest: + + plugin :ssh + recipe :ssh + +This creates a user called sftponly with a randomized password. To allow access, you can manag authorized_keys through your manifest: + + file '/home/sftponly/home/sftponly/.ssh/authorized_keys', + :ensure => :present, + :content => YOUR_SSH_PUBKEYS + +Once connected via sftp, the user will be chrooted to /home/sftponly where they will only see a +'home' directory. The user can upload files to /home/sftponly. For a normal user, the uploaded +files will be located at /home/sftponly/home/sftponly. + +==== Advanced + +For a more complicated example, we'll consider a user called 'rob' who needs to upload +files into a directory under the Rails application's shared/ directory. Since he will +be chrooted, he can't have direct access to the directory. Also, the directory is owned +by the rails group, so he'll need to be a member of that. Finally, we don't want to worry +about public keys, so he'll need a password. + +In your moonshine.yml: + + :ssh: + :sftponly: + :users: + :rob: + :groups: rails + :password: sooper_sekrit + +In your manifest: + + plugin :ssh + recipe :ssh + def mount_assets + file '/home/rob/home/rob/assets', + :ensure => :directory, + :owner => 'rob', + :require => file('/home/rob/home/rob') + + mount '/home/rob/home/rob/assets', + :ensure => :mounted, + :device => "#{configuration[:deploy_to]}/shared/assets/", + :options => 'bind', + :fstype => :none, + :atboot => true, + :remounts => true, + :require => file('/home/rob/home/rob/assets') + end + recipe :mount_assets + +Then deploy, and you're done! The user's /home/rob/assets directory is now actually the shared assets directory. Anything uploaded there will be available to the application automatically. \ No newline at end of file README.rdoc @@ -8,9 +8,15 @@ module SSH # configure(:ssh => {:permit_root_login => 'yes', :port => 9022}) # def ssh(options = {}) + package 'ssh', :ensure => :installed service 'ssh', :enable => true, :ensure => :running + if options[:sftponly] + options[:subsystem] = {:sftp => 'internal-sftp'} + sftponly(options[:sftponly]) + end + file '/etc/ssh/sshd_config.new', :mode => '644', :content => template(File.join(File.dirname(__FILE__), '..', 'templates', 'sshd_config'), binding), @@ -23,6 +29,61 @@ module SSH :refreshonly => true, :require => file('/etc/ssh/sshd_config.new'), :notify => service('ssh') + + end + + private + + # Sets up users and directories for chrooted, sftp-only access + # By default, the chroot is /home/USERNAME and the user's home + # will be inside that, at /home/USERNAME/home/USERNAME + def sftponly(options) + + group 'sftponly', :ensure => :present + + exec "fake shell", + :command => "echo /bin/false >> /etc/shells", + :onlyif => "test -z `grep /bin/false /etc/shells`" + + (options[:users]||'sftponly').to_a.each do |user,hash| + user = user.to_s + + chroot = options[:chroot_directory] || "/home/#{user}" + homedir = chroot + ( hash[:home] || "/home/#{user}" ) + + parent_directories homedir, :owner => 'root', :mode => '755' + file homedir, + :ensure => :directory, + :owner => user, + :group => user, + :require => user(user) + + user user, + :ensure => :present, + :home => "/home/#{user}/home/#{user}", + :shell => "/bin/false", + :groups => (['sftponly'] + hash[:groups].to_a).uniq, + :require => [group('sftponly'),exec('fake shell')], + :notify => exec("#{user} password") + + password = hash[:password] || rand_pass(6) + exec "#{user} password", + :command => "echo #{user}:#{password} | chpasswd", + :refreshonly => true + + end + end + + def parent_directories(path,options) + options.merge!({:ensure => :directory}) + while path != "/" + path = File.split(path)[0] + file path, options + end + end + + def rand_pass(len) + Array.new(len/2) { rand(256) }.pack('C*').unpack('H*').first end end \ No newline at end of file lib/ssh.rb @@ -38,5 +38,49 @@ describe SSH do @manifest.ssh( :port => 9022 ) @manifest.files["/etc/ssh/sshd_config.new"].content.should match /Port 9022/ end + + describe "configured for sftponly" do + + before do + @manifest.ssh(:sftponly => { + :users => { + :rob => { + :password => 'sekrit', + :groups => 'rails' + } + } + }) + end + + it "should create the sftponly group" do + @manifest.groups.should include('sftponly') + end + + it "should add the user" do + @manifest.users.should include('rob') + @manifest.execs['rob password'].command.should == "echo rob:sekrit | chpasswd" + end + + it "should add user to sftponly and extra groups if requested" do + @manifest.users['rob'].groups.should == ['sftponly','rails'] + end + + it "should create the home directory" do + @manifest.files.should include('/home/rob/home/rob') + @manifest.files['/home/rob/home/rob'].owner.should == 'rob' + @manifest.files['/home/rob/home'].owner.should == 'root' + @manifest.files['/home/rob'].owner.should == 'root' + end + + it "should set the sftp subsystem" do + @manifest.files['/etc/ssh/sshd_config.new'].content.should match /Subsystem sftp internal-sftp/ + end + + it "should add a group matcher to the sshd config" do + @manifest.files['/etc/ssh/sshd_config.new'].content.should match /Match Group sftponly/ + @manifest.files['/etc/ssh/sshd_config.new'].content.should match /ChrootDirectory \/home\/%u/ + end + + end end \ No newline at end of file spec/ssh_spec.rb @@ -69,19 +69,28 @@ X11Forwarding <%= options[:x11_forwarding] || 'yes' %> X11DisplayOffset <%= options[:x11_display_offsets] || 10 %> PrintMotd <%= options[:print_motd] || 'no' %> PrintLastLog <%= options[:print_last_log] || 'yes' %> -TCPKeepAlive yes +TCPKeepAlive <%= options[:tcp_keep_alive] || 'yes' %> #UseLogin no # http://techgurulive.com/2008/09/15/how-to-protect-ssh-from-multiple-and-parallel-coordinated-attacks/ MaxStartups <%= options[:max_startups] || '2:50:5' %> -#Banner /etc/issue.net + +<% if options[:use_banner] %> +Banner /etc/issue.net +<% end %> # Allow client to pass locale environment variables AcceptEnv LANG LC_* +<% if options[:subsystem] %> + <% options[:subsystem].each do |subsystem,command| %> +Subsystem <%= subsystem %> <%= command %> + <% end %> +<% else %> Subsystem sftp /usr/lib/openssh/sftp-server +<% end %> -UsePAM yes +UsePAM <%= options[:use_pam] || 'yes' %> <% if options[:allow_users] %> AllowUsers <%= options[:allow_users].to_a.join(' ') %> @@ -90,4 +99,12 @@ AllowUsers <%= options[:allow_users].to_a.join(' ') %> AllowGroups <%= options[:allow_groups].to_a.join(' ') %> <% end %> -<%= options[:extra] %> \ No newline at end of file +<%= options[:extra] %> + +<% if options[:sftponly] %> +Match Group sftponly + ChrootDirectory <%= options[:sftponly][:chroot_directory] || '/home/%u' %> + ForceCommand internal-sftp + X11Forwarding no + AllowTcpForwarding no +<% end %> \ No newline at end of file templates/sshd_config 2bcb4213149bbd8f73cd6ffadf4c9d7a96e010ac Rob Lingle rob@actsasif.com http://github.com/railsmachine/moonshine_ssh/commit/a761b37ab6c124f47346531891e189ef2fee336d a761b37ab6c124f47346531891e189ef2fee336d 2009-07-07T11:33:55-07:00 2009-07-07T11:33:55-07:00 super easy chrooted, sftp-only users 26ff29f45e1bbe079dd5d685a6ccea7e753265b8 Rob Lingle rob@actsasif.com