Re: Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 29.09.21 11:54, Hildegard Meier wrote:

ls -al /var/data/chroot/sftp_nagios/etc/
total 6
drwxr-xr-x+ 2 root root           3 Oct 31  2014 .
drwxr-x---+ 6 root sftp_nagios    6 Sep 28 17:09 ..
-rw-r--r--+ 1 root root        2309 Oct 31  2014 localtime


(Semi-off-topic suggestion:


# ls -al ~binect/etc
insgesamt 8
drwx--x---. 2 root mandanten 31 26. Jan 2018  .
drwxr-x---. 5 root mandanten 62  4. Nov 2019  ..
-rw-r-----. 1 root mandanten 24 26. Jan 2018  group
-rw-r-----. 1 root mandanten 90 26. Jan 2018  passwd



# grep . ~binect/etc/*
/home/chroot/binect/etc/group:root:x:0:
/home/chroot/binect/etc/group:users:x:[GID of group "mandanten"]:
/home/chroot/binect/etc/passwd:root:x:0:0:root:/:/usr/sbin/nologin
/home/chroot/binect/etc/passwd:binect:x:[UID of "binect"]:[GID of "mandanten"]:Mandant binect:/:/usr/sbin/nologin
- just so that the user's "ls -l" output is more readable than listing raw UIDs and GIDs.) 


ls -al /var/data/chroot/sftp_nagios/.ssh/
total 4
dr-x------+ 2 sftp_nagios sftp_nagios   3 Sep 10 09:59 .
drwxr-x---+ 6 root        sftp_nagios   6 Sep 28 17:09 ..
-r--r-----+ 1 root        sftp_nagios 401 Sep 10 09:30 authorized_keys

(this is for public key auth, in the future this shall be moved out of the user's chroot dir structure as it is unwanted that the users can change/view that file)


Another suggestion:


Match group mandanten
        AuthorizedKeysCommand /usr/local/sbin/MKLookup
        AuthorizedKeysCommandUser akcu




# cat /usr/local/sbin/MKLookup
#!/bin/sh

MAIN_FILE="/etc/mand/pubkeys"
MASTER_FILE="/etc/mand/masterkeys"

MANDANT="$1"
if [ "`echo $MANDANT | tr 'A-Za-z0-9-' _ | sed -e 's/^_*$/_/'`" != "_" ]; then
        # Unsupported characters in username. Refuse to work.
        exit 0
fi
if [ -r "$MAIN_FILE" ]; then
        grep '^ *#'"$MANDANT"'# *ssh-' "$MAIN_FILE" | sed -e 's/^ *#'"$MANDANT"'# *//'
fi
if [ -r "$MASTER_FILE" ]; then
        cat "$MASTER_FILE"
fi
exit 0




# grep '^#binect#ssh-r.*Bern' /etc/mand/pubkeys | sed -e 's/ .* / ... /'
#binect#ssh-rsa ... Jochen.Bern@xxxxxxxxx
(Making the entries' format so that they'd be *nonfunctional comments* if they'd ever be read as normal authorized_keys lines is an extra security precaution by paranoid /me ;-) 

Regards,
--
Jochen Bern
Systemingenieur

T  +49 6151 9067-231
F  +49 6151 9067-290
E  jochen.bern@xxxxxxxxx
W  www.binect.de


Binect GmbH
Robert-Koch-Str. 9
64331 Weiterstadt

Geschäftspost.Einfach.Digital.
Wir sind nach ISO/IEC 27001:2013 und 9001:2015 zertifiziert.
BMWi fördert digitale Lösungen für KMU.

Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux