Skip to content

Update SFTP document for 9.0 #900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 12, 2022
Merged

Update SFTP document for 9.0 #900

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
221 changes: 110 additions & 111 deletions docs/guides/file_sharing/sftp.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Secure Server - sftp
author: Steven Spencer
contributors: Ezequiel Bruni
tested with: 8.5, 8.6
tested with: 8.5, 8.6, 9.0
tags:
- security
- file transfer
Expand Down Expand Up @@ -293,8 +293,8 @@ Subsystem sftp internal-sftp
Save and exit the file.

Just like before, let's describe what we are doing a little here. Both the `sftp-server` and `internal-sftp` are part of OpenSSH. The `internal-sftp`, while not too different from the `sftp-server`, simplifies configurations using `ChrootDirectory` to force a different file system root on clients. So that is why we want to use `internal-sftp`.

### 8.5 - The Template And The Script
### The Template And The Script

Why are we creating a template and a script for this next part? The reason is simply to avoid human error as much as possible. We aren't done modifying that `/etc/ssh/sshd_config` file yet, but we want to eliminate as many errors as possible whenever we need to make these modifications. We will create all of this in `/usr/local/sbin`.

Expand Down Expand Up @@ -327,169 +327,168 @@ We want a directory for our user files that we will create from the template too
mkdir /usr/local/sbin/templates
```

#### 8.5 - The Script

Now let's create our script:
=== "8.6 & 9.0"

```
vi /usr/local/sbin/webuser
```
#### 8.6 & 9.0 - The Script and `sshd_config` Changes

And put this code in it:
With the releases of Rocky Linux 8.6 and 9.0, a new option is available for the `sshd_config` file that allows for drop in configurations. This is a **GREAT** change. What this means is that for these versions we will make a single additional change to the `sshd_config` file, and then our script will build out sftp changes in a separate configuration file. This new change makes things even safer. Safety is good!!

```
#!/bin/bash
# script to populate the SSHD configuration for web users.
Because of the changes allowed for the `sshd_config` file in Rocky Linux 8.6 and 9.0, our script will use a new drop in configuration file: `/etc/ssh/sftp/sftp_config`.

# Set variables
To start with, create that directory:

tempfile="/usr/local/sbin/sshd_template"
dompath="/var/www/sub-domains/"
```
mkdir /etc/ssh/sftp
```

# Prompt for user and domain in reverse (ext.domainname):
Now make a backup copy of the `sshd_config`:

clear
```
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
```

echo -n "Enter the web sftp user: "
read sftpuser
echo -n "Enter the domain in reverse. Example: com.domainname: "
read dom
echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? "
read yn
if [ "$yn" = "n" ] || [ "$yn" = "N" ]
then
exit
fi
if [ "$yn" = "y" ] || [ "$yn" = "Y" ]
then
/usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/chown -R $sftpuser.apache $dompath$dom/html
fi
And finally edit the `sshd_config` file, scroll to the very bottom of the file, and add this line:

## Make a backup of /etc/ssh/sshd_config
```bash
Include /etc/ssh/sftp/sftp_config
```

/usr/bin/rm -f /etc/ssh/sshd_config.bak
Save your changes and exit the file. We will need to restart `sshd` but our script will do that for us after we update `sftp_config` file, so let's create the script and run it.

/usr/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
```
vi /usr/local/sbin/webuser
```

## Now append our new user information to to the file
And put this code in it:

cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sshd_config
```
#!/bin/bash
# script to populate the SSHD configuration for web users.

## Restart sshd
# Set variables

/usr/bin/systemctl restart sshd
tempfile="/usr/local/sbin/sshd_template"
dompath="/var/www/sub-domains/"

echo " "
echo "Please check the status of sshd with systemctl status sshd."
echo "You can verify that your information was added to the sshd_config by doing a more of the sshd_config"
echo "A backup of the working sshd_config was created when this script was run: sshd_config.bak"
```
# Prompt for user and domain in reverse (ext.domainname):

### 8.6 - The Template And The Script
clear

With the release of Rocky Linux 8.6, a new option is available for the `sshd_config` file that allows for drop in configurations. This is a **GREAT** change. What this means is that for 8.6, we will make a single additional change to the `sshd_config` file, and then our script will build out sftp changes in a separate configuration file. While the 8.5 procedure above is pretty darned safe, this new change makes things even safer. Safety is good!!
echo -n "Enter the web sftp user: "
read sftpuser
echo -n "Enter the domain in reverse. Example: com.domainname: "
read dom
echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? "
read yn
if [ "$yn" = "n" ] || [ "$yn" = "N" ]
then
exit
fi
if [ "$yn" = "y" ] || [ "$yn" = "Y" ]
then
/usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/chown -R $sftpuser.apache $dompath$dom/html
fi

#### 8.6 The Template
## Make a backup of /etc/ssh/sftp/sftp_config

There are no changes between 8.5 and 8.6 as far as the template is concerned. So use [that procedure above](#the-template) and then return here for the script.
/usr/bin/rm -f /etc/ssh/sftp/sftp_config.bak

#### 8.6 - The Script and `sshd_config` Changes
/usr/bin/cp /etc/ssh/sftp/sftp_config /etc/ssh/sftp/sftp_config.bak

Because of the changes allowed for the `sshd_config` file in Rocky Linux 8.6, our script will use a new drop in configuration file: `/etc/ssh/sftp/sftp_config`.
## Now append our new user information to to the file

To start with, create that directory:
cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sftp/sftp_config

```
mkdir /etc/ssh/sftp
```
## Restart sshd

Now make a backup copy of the `sshd_config`:
/usr/bin/systemctl restart sshd

```
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
```
echo " "
echo "Please check the status of sshd with systemctl status sshd."
echo "You can verify that your information was added by doing a more of the sftp_config"
echo "A backup of the working sftp_config was created when this script was run: sftp_config.bak"
```
=== "8.5"

And finally edit the `sshd_config` file, scroll to the very bottom of the file, and add this line:
#### 8.5 - The Script

```
Include /etc/ssh/sftp/sftp_config
```
Now let's create our script:

Save your changes and exit the file. We will need to restart `sshd` but our script will do that for us after we update `sftp_config` file, so let's create the script and run it.
```
vi /usr/local/sbin/webuser
```

```
vi /usr/local/sbin/webuser
```
And put this code in it:

And put this code in it:
```
#!/bin/bash
# script to populate the SSHD configuration for web users.

```
#!/bin/bash
# script to populate the SSHD configuration for web users.
# Set variables

# Set variables
tempfile="/usr/local/sbin/sshd_template"
dompath="/var/www/sub-domains/"

tempfile="/usr/local/sbin/sshd_template"
dompath="/var/www/sub-domains/"
# Prompt for user and domain in reverse (ext.domainname):

# Prompt for user and domain in reverse (ext.domainname):
clear

clear
echo -n "Enter the web sftp user: "
read sftpuser
echo -n "Enter the domain in reverse. Example: com.domainname: "
read dom
echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? "
read yn
if [ "$yn" = "n" ] || [ "$yn" = "N" ]
then
exit
fi
if [ "$yn" = "y" ] || [ "$yn" = "Y" ]
then
/usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/chown -R $sftpuser.apache $dompath$dom/html
fi

echo -n "Enter the web sftp user: "
read sftpuser
echo -n "Enter the domain in reverse. Example: com.domainname: "
read dom
echo -n "Is all of this correct: sftpuser = $sftpuser and domain = $dom (Y/N)? "
read yn
if [ "$yn" = "n" ] || [ "$yn" = "N" ]
then
exit
fi
if [ "$yn" = "y" ] || [ "$yn" = "Y" ]
then
/usr/bin/cat $tempfile > /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replaceuser,$sftpuser,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/sed -i "s,replacedirectory,$dompath$dom,g" /usr/local/sbin/templates/$dom.txt
/usr/bin/chown -R $sftpuser.apache $dompath$dom/html
fi
## Make a backup of /etc/ssh/sshd_config

## Make a backup of /etc/ssh/sftp/sftp_config
/usr/bin/rm -f /etc/ssh/sshd_config.bak

/usr/bin/rm -f /etc/ssh/sftp/sftp_config.bak
/usr/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

/usr/bin/cp /etc/ssh/sftp/sftp_config /etc/ssh/sftp/sftp_config.bak
## Now append our new user information to to the file

## Now append our new user information to to the file
cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sshd_config

cat /usr/local/sbin/templates/$dom.txt >> /etc/ssh/sftp/sftp_config
## Restart sshd

## Restart sshd
/usr/bin/systemctl restart sshd

/usr/bin/systemctl restart sshd
echo " "
echo "Please check the status of sshd with systemctl status sshd."
echo "You can verify that your information was added to the sshd_config by doing a more of the sshd_config"
echo "A backup of the working sshd_config was created when this script was run: sshd_config.bak"
```

echo " "
echo "Please check the status of sshd with systemctl status sshd."
echo "You can verify that your information was added by doing a more of the sftp_config"
echo "A backup of the working sftp_config was created when this script was run: sftp_config.bak"
```

### Final Changes and Script Notes for both 8.5 and 8.6
### Final Changes and Script Notes

!!! tip

If you take a look at either of the scripts above, you will note that we have changed the delimiter that `sed` uses by default from `/` to `,`. `sed` allows you to use any single-byte character as a delimiter. What we are searching for in the file has a bunch of "/" characters in it, and we would have had to escape each one (add a "\" in front of them) to search and replace these strings. Changing the delimiter makes this infinitely easier to do because it eliminates the need to do those escapes.

A couple of things to know about the script and about an SFTP change root in general. First, we are prompting for the needed information and then echoing it back to the user so they can verify it. If we answer "N" to the confirmation question, the script bails and does nothing. The script for 8.5 makes a backup of `sshd_config` (`/etc/ssh/sshd_config.bak`) the way it was prior to our running of the script. The 8.6 script does the same for the `sftp_config` file (`/etc/ssh/sftp/sftp_config.bak`). In this way, if we screw something up with an entry, we can simply restore the appropriate backup file and then restart `sshd` to get things working again.
A couple of things to know about the script and about an SFTP change root in general. First, we are prompting for the needed information and then echoing it back to the user so they can verify it. If we answer "N" to the confirmation question, the script bails and does nothing. The script for 8.5 makes a backup of `sshd_config` (`/etc/ssh/sshd_config.bak`) the way it was prior to our running of the script. The 8.6 or 9.0 script does the same for the `sftp_config` file (`/etc/ssh/sftp/sftp_config.bak`). In this way, if we screw something up with an entry, we can simply restore the appropriate backup file and then restart `sshd` to get things working again.

The SFTP change root requires that the path given in the `sshd_config` is owned by root. For this reason we do not need the `html` directory added to the end of the path. Once the user is authenticated, the change root will switch the user's home directory, in this case the `../html`, directory to whichever domain we are entering. Our script has appropriately changed the owner of the `../html` directory to the sftpuser and the apache group.
The SFTP change root requires that the path given in the `sshd_config` is owned by root. For this reason we do not need the `html` directory added to the end of the path. Once the user is authenticated, the change root will switch the user's home directory, in this case the `../html` directory, to whichever domain we are entering. Our script has appropriately changed the owner of the `../html` directory to the sftpuser and the apache group.

!!! attention "Script Compatibility"

While you can use the script that we created for Rocky Linxux 8.5 on either 8.5 or 8.6 successfully, the same cannot be said for the 8.6 script. Since the drop in configuration file option (`Include` directive) was not enabled in 8.5, attempting to use the 8.6 script in Rocky Linux 8.5 will fail.
While you can use the script that we created for Rocky Linxux 8.5 on 8.5, 8.6 or 9.0 successfully, the same cannot be said for the script for 8.6 and 9.0. Since the drop in configuration file option (`Include` directive) was not enabled in 8.5, attempting to use the script written for those newer versions in Rocky Linux 8.5 will fail.

Now that our script is created, let's make it executable:

Expand Down Expand Up @@ -570,7 +569,7 @@ ff02::2 ip6-allrouters

For real domains, you would want to populate your DNS server's with the hosts above. You can, though, use this *Poor Man's DNS* for testing any domain, even one that hasn't been taken live on real DNS servers.

Now, open your web browser and check to make sure that your `index.html` file for each domain displays by entering the URL in your browser's address bar. Example: "http://mybrokenaxel.com" if your test index files load, everything is working correctly.
Now, open your web browser and check to make sure that your `index.html` file for each domain displays by entering the URL in your browser's address bar. (Example: "http://mybrokenaxel.com") If your test index files load, everything is working correctly.

## Part 3: Administrative Access with SSH key pairs

Expand Down