diff --git a/docs/guides/file_sharing/sftp.md b/docs/guides/file_sharing/sftp.md index 52074b5eb3..0566ff150f 100644 --- a/docs/guides/file_sharing/sftp.md +++ b/docs/guides/file_sharing/sftp.md @@ -2,7 +2,7 @@ title: Secure Server - sftp author: Steven Spencer contributors: Ezequiel Bruni -tested with: 8.5, 8.6 +tested with: 8.5, 8.6, 9.0 tags: - security - file transfer @@ -293,8 +293,8 @@ Subsystem sftp internal-sftp Save and exit the file. Just like before, let's describe what we are doing a little here. Both the `sftp-server` and `internal-sftp` are part of OpenSSH. The `internal-sftp`, while not too different from the `sftp-server`, simplifies configurations using `ChrootDirectory` to force a different file system root on clients. So that is why we want to use `internal-sftp`. - -### 8.5 - The Template And The Script + +### The Template And The Script Why are we creating a template and a script for this next part? The reason is simply to avoid human error as much as possible. We aren't done modifying that `/etc/ssh/sshd_config` file yet, but we want to eliminate as many errors as possible whenever we need to make these modifications. We will create all of this in `/usr/local/sbin`. @@ -327,169 +327,168 @@ We want a directory for our user files that we will create from the template too mkdir /usr/local/sbin/templates ``` -#### 8.5 - The Script -Now let's create our script: +=== "8.6 & 9.0" -``` -vi /usr/local/sbin/webuser -``` + #### 8.6 & 9.0 - The Script and `sshd_config` Changes -And put this code in it: + With the releases of Rocky Linux 8.6 and 9.0, a new option is available for the `sshd_config` file that allows for drop in configurations. This is a **GREAT** change. What this means is that for these versions we will make a single additional change to the `sshd_config` file, and then our script will build out sftp changes in a separate configuration file. This new change makes things even safer. Safety is good!! -``` -#!/bin/bash -# script to populate the SSHD configuration for web users. + Because of the changes allowed for the `sshd_config` file in Rocky Linux 8.6 and 9.0, our script will use a new drop in configuration file: `/etc/ssh/sftp/sftp_config`. -# Set variables + To start with, create that directory: -tempfile="/usr/local/sbin/sshd_template" -dompath="/var/www/sub-domains/" + ``` + mkdir /etc/ssh/sftp + ``` -# Prompt for user and domain in reverse (ext.domainname): + Now make a backup copy of the `sshd_config`: -clear + ``` + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + ``` -echo -n "Enter the web sftp user: " -read sftpuser -echo -n "Enter the domain in reverse. Example: com.domainname: " -read dom -echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? " -read yn -if [ "$yn" = "n" ] || [ "$yn" = "N" ] -then - exit -fi -if [ "$yn" = "y" ] || [ "$yn" = "Y" ] -then - /usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt - /usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt - /usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt - /usr/bin/chown -R $sftpuser.apache $dompath$dom/html -fi + And finally edit the `sshd_config` file, scroll to the very bottom of the file, and add this line: -## Make a backup of /etc/ssh/sshd_config + ```bash + Include /etc/ssh/sftp/sftp_config + ``` -/usr/bin/rm -f /etc/ssh/sshd_config.bak + Save your changes and exit the file. We will need to restart `sshd` but our script will do that for us after we update `sftp_config` file, so let's create the script and run it. -/usr/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak + ``` + vi /usr/local/sbin/webuser + ``` -## Now append our new user information to to the file + And put this code in it: -cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sshd_config + ``` + #!/bin/bash + # script to populate the SSHD configuration for web users. -## Restart sshd + # Set variables -/usr/bin/systemctl restart sshd + tempfile="/usr/local/sbin/sshd_template" + dompath="/var/www/sub-domains/" -echo " " -echo "Please check the status of sshd with systemctl status sshd." -echo "You can verify that your information was added to the sshd_config by doing a more of the sshd_config" -echo "A backup of the working sshd_config was created when this script was run: sshd_config.bak" -``` + # Prompt for user and domain in reverse (ext.domainname): -### 8.6 - The Template And The Script + clear -With the release of Rocky Linux 8.6, a new option is available for the `sshd_config` file that allows for drop in configurations. This is a **GREAT** change. What this means is that for 8.6, we will make a single additional change to the `sshd_config` file, and then our script will build out sftp changes in a separate configuration file. While the 8.5 procedure above is pretty darned safe, this new change makes things even safer. Safety is good!! + echo -n "Enter the web sftp user: " + read sftpuser + echo -n "Enter the domain in reverse. Example: com.domainname: " + read dom + echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? " + read yn + if [ "$yn" = "n" ] || [ "$yn" = "N" ] + then + exit + fi + if [ "$yn" = "y" ] || [ "$yn" = "Y" ] + then + /usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt + /usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt + /usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt + /usr/bin/chown -R $sftpuser.apache $dompath$dom/html + fi -#### 8.6 The Template + ## Make a backup of /etc/ssh/sftp/sftp_config -There are no changes between 8.5 and 8.6 as far as the template is concerned. So use [that procedure above](#the-template) and then return here for the script. + /usr/bin/rm -f /etc/ssh/sftp/sftp_config.bak -#### 8.6 - The Script and `sshd_config` Changes + /usr/bin/cp /etc/ssh/sftp/sftp_config /etc/ssh/sftp/sftp_config.bak -Because of the changes allowed for the `sshd_config` file in Rocky Linux 8.6, our script will use a new drop in configuration file: `/etc/ssh/sftp/sftp_config`. + ## Now append our new user information to to the file -To start with, create that directory: + cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sftp/sftp_config -``` -mkdir /etc/ssh/sftp -``` + ## Restart sshd -Now make a backup copy of the `sshd_config`: + /usr/bin/systemctl restart sshd -``` -cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak -``` + echo " " + echo "Please check the status of sshd with systemctl status sshd." + echo "You can verify that your information was added by doing a more of the sftp_config" + echo "A backup of the working sftp_config was created when this script was run: sftp_config.bak" + ``` +=== "8.5" -And finally edit the `sshd_config` file, scroll to the very bottom of the file, and add this line: + #### 8.5 - The Script -``` -Include /etc/ssh/sftp/sftp_config -``` + Now let's create our script: -Save your changes and exit the file. We will need to restart `sshd` but our script will do that for us after we update `sftp_config` file, so let's create the script and run it. + ``` + vi /usr/local/sbin/webuser + ``` -``` -vi /usr/local/sbin/webuser -``` + And put this code in it: -And put this code in it: + ``` + #!/bin/bash + # script to populate the SSHD configuration for web users. -``` -#!/bin/bash -# script to populate the SSHD configuration for web users. + # Set variables -# Set variables + tempfile="/usr/local/sbin/sshd_template" + dompath="/var/www/sub-domains/" -tempfile="/usr/local/sbin/sshd_template" -dompath="/var/www/sub-domains/" + # Prompt for user and domain in reverse (ext.domainname): -# Prompt for user and domain in reverse (ext.domainname): + clear -clear + echo -n "Enter the web sftp user: " + read sftpuser + echo -n "Enter the domain in reverse. Example: com.domainname: " + read dom + echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? " + read yn + if [ "$yn" = "n" ] || [ "$yn" = "N" ] + then + exit + fi + if [ "$yn" = "y" ] || [ "$yn" = "Y" ] + then + /usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt + /usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt + /usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt + /usr/bin/chown -R $sftpuser.apache $dompath$dom/html + fi -echo -n "Enter the web sftp user: " -read sftpuser -echo -n "Enter the domain in reverse. Example: com.domainname: " -read dom -echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? " -read yn -if [ "$yn" = "n" ] || [ "$yn" = "N" ] -then - exit -fi -if [ "$yn" = "y" ] || [ "$yn" = "Y" ] -then - /usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt - /usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt - /usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt - /usr/bin/chown -R $sftpuser.apache $dompath$dom/html -fi + ## Make a backup of /etc/ssh/sshd_config -## Make a backup of /etc/ssh/sftp/sftp_config + /usr/bin/rm -f /etc/ssh/sshd_config.bak -/usr/bin/rm -f /etc/ssh/sftp/sftp_config.bak + /usr/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak -/usr/bin/cp /etc/ssh/sftp/sftp_config /etc/ssh/sftp/sftp_config.bak + ## Now append our new user information to to the file -## Now append our new user information to to the file + cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sshd_config -cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sftp/sftp_config + ## Restart sshd -## Restart sshd + /usr/bin/systemctl restart sshd -/usr/bin/systemctl restart sshd + echo " " + echo "Please check the status of sshd with systemctl status sshd." + echo "You can verify that your information was added to the sshd_config by doing a more of the sshd_config" + echo "A backup of the working sshd_config was created when this script was run: sshd_config.bak" + ``` -echo " " -echo "Please check the status of sshd with systemctl status sshd." -echo "You can verify that your information was added by doing a more of the sftp_config" -echo "A backup of the working sftp_config was created when this script was run: sftp_config.bak" -``` -### Final Changes and Script Notes for both 8.5 and 8.6 +### Final Changes and Script Notes !!! tip If you take a look at either of the scripts above, you will note that we have changed the delimiter that `sed` uses by default from `/` to `,`. `sed` allows you to use any single-byte character as a delimiter. What we are searching for in the file has a bunch of "/" characters in it, and we would have had to escape each one (add a "\" in front of them) to search and replace these strings. Changing the delimiter makes this infinitely easier to do because it eliminates the need to do those escapes. -A couple of things to know about the script and about an SFTP change root in general. First, we are prompting for the needed information and then echoing it back to the user so they can verify it. If we answer "N" to the confirmation question, the script bails and does nothing. The script for 8.5 makes a backup of `sshd_config` (`/etc/ssh/sshd_config.bak`) the way it was prior to our running of the script. The 8.6 script does the same for the `sftp_config` file (`/etc/ssh/sftp/sftp_config.bak`). In this way, if we screw something up with an entry, we can simply restore the appropriate backup file and then restart `sshd` to get things working again. +A couple of things to know about the script and about an SFTP change root in general. First, we are prompting for the needed information and then echoing it back to the user so they can verify it. If we answer "N" to the confirmation question, the script bails and does nothing. The script for 8.5 makes a backup of `sshd_config` (`/etc/ssh/sshd_config.bak`) the way it was prior to our running of the script. The 8.6 or 9.0 script does the same for the `sftp_config` file (`/etc/ssh/sftp/sftp_config.bak`). In this way, if we screw something up with an entry, we can simply restore the appropriate backup file and then restart `sshd` to get things working again. -The SFTP change root requires that the path given in the `sshd_config` is owned by root. For this reason we do not need the `html` directory added to the end of the path. Once the user is authenticated, the change root will switch the user's home directory, in this case the `../html`, directory to whichever domain we are entering. Our script has appropriately changed the owner of the `../html` directory to the sftpuser and the apache group. +The SFTP change root requires that the path given in the `sshd_config` is owned by root. For this reason we do not need the `html` directory added to the end of the path. Once the user is authenticated, the change root will switch the user's home directory, in this case the `../html` directory, to whichever domain we are entering. Our script has appropriately changed the owner of the `../html` directory to the sftpuser and the apache group. !!! attention "Script Compatibility" - While you can use the script that we created for Rocky Linxux 8.5 on either 8.5 or 8.6 successfully, the same cannot be said for the 8.6 script. Since the drop in configuration file option (`Include` directive) was not enabled in 8.5, attempting to use the 8.6 script in Rocky Linux 8.5 will fail. + While you can use the script that we created for Rocky Linxux 8.5 on 8.5, 8.6 or 9.0 successfully, the same cannot be said for the script for 8.6 and 9.0. Since the drop in configuration file option (`Include` directive) was not enabled in 8.5, attempting to use the script written for those newer versions in Rocky Linux 8.5 will fail. Now that our script is created, let's make it executable: @@ -570,7 +569,7 @@ ff02::2 ip6-allrouters For real domains, you would want to populate your DNS server's with the hosts above. You can, though, use this *Poor Man's DNS* for testing any domain, even one that hasn't been taken live on real DNS servers. -Now, open your web browser and check to make sure that your `index.html` file for each domain displays by entering the URL in your browser's address bar. Example: "http://mybrokenaxel.com" if your test index files load, everything is working correctly. +Now, open your web browser and check to make sure that your `index.html` file for each domain displays by entering the URL in your browser's address bar. (Example: "http://mybrokenaxel.com") If your test index files load, everything is working correctly. ## Part 3: Administrative Access with SSH key pairs