SFTP not configurable #110

Closed
jmara opened this Issue Feb 3, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@jmara
Contributor

jmara commented Feb 3, 2016

Hi there,

is it worth creating a PR to enable/adjust the SFTP settings?

Cheers,
Jan

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Feb 3, 2016

Member

Hi Jan,
thanks for bringing this up. Yes please create a PR to enable and configure the sftp for this. Some ideas about the configuration of sftp. I would configure sftp in such a way. What do you think?

Subsystem sftp internal-sftp -l VERBOSE
Match Group sftponly
        ForceCommand internal-sftp -l VERBOSE
        ChrootDirectory /share/%u
        AllowTcpForwarding no
        AllowAgentForwarding no
        PasswordAuthentication no
        PermitRootLogin no
        X11Forwarding no

So that we can configure the matching group, the ChrootDirectory, AllowAgentForwarding and so on.

Member

atomic111 commented Feb 3, 2016

Hi Jan,
thanks for bringing this up. Yes please create a PR to enable and configure the sftp for this. Some ideas about the configuration of sftp. I would configure sftp in such a way. What do you think?

Subsystem sftp internal-sftp -l VERBOSE
Match Group sftponly
        ForceCommand internal-sftp -l VERBOSE
        ChrootDirectory /share/%u
        AllowTcpForwarding no
        AllowAgentForwarding no
        PasswordAuthentication no
        PermitRootLogin no
        X11Forwarding no

So that we can configure the matching group, the ChrootDirectory, AllowAgentForwarding and so on.

@jmara

This comment has been minimized.

Show comment
Hide comment
@jmara

jmara Feb 3, 2016

Contributor

Hi Patrick,

I've checked the puppet and ansible ssh-hardening and it looks like only Ansible takes care of the STFP stuff and adds capabilities to Enable and change ChrootDirectory for sftp.

I think the configuration should aswell include Group like you suggested, but I'm currently unsure if its a good security practice to allow the change of the other options like AllowAgentForwarding, PermitRootLogin.
As this cookbook focus on hardening the sshd I would suggest that I add the first three options: Enable, Group, ChrootDirectory and if necessary extend this functions in the next versions.

What do you think?

Cheers,
Jan

Contributor

jmara commented Feb 3, 2016

Hi Patrick,

I've checked the puppet and ansible ssh-hardening and it looks like only Ansible takes care of the STFP stuff and adds capabilities to Enable and change ChrootDirectory for sftp.

I think the configuration should aswell include Group like you suggested, but I'm currently unsure if its a good security practice to allow the change of the other options like AllowAgentForwarding, PermitRootLogin.
As this cookbook focus on hardening the sshd I would suggest that I add the first three options: Enable, Group, ChrootDirectory and if necessary extend this functions in the next versions.

What do you think?

Cheers,
Jan

@atomic111

This comment has been minimized.

Show comment
Hide comment
@atomic111

atomic111 Feb 6, 2016

Member

Hi Jan,
i total agree with you. May be i have expressed myself wrong. Recently i had a customer request to allow forwarding and so on for the other users and not allowing this for the sftponly group.

So just create your pull request. thanks

Member

atomic111 commented Feb 6, 2016

Hi Jan,
i total agree with you. May be i have expressed myself wrong. Recently i had a customer request to allow forwarding and so on for the other users and not allowing this for the sftponly group.

So just create your pull request. thanks

@jmara jmara referenced this issue Feb 6, 2016

Merged

Feature/sftp #111

@atomic111 atomic111 closed this Feb 16, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment