Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of multiple SFTP groups #216

Open
sean-nixon opened this issue May 8, 2019 · 1 comment
Open

Allow configuration of multiple SFTP groups #216

sean-nixon opened this issue May 8, 2019 · 1 comment
Labels
help wanted

Comments

@sean-nixon
Copy link

sean-nixon commented May 8, 2019
edited
Loading

Is your feature request related to a problem? Please describe.
I am trying to reproduce an SFTP config with multiple groups with distinct configurations (chroot, AuthorizedKeysFile, etc.). We have a use case where we want org level users to have chroot set to the full ftp directory and "guest" users to use a sub-directory associated with their user. Right now the cookbook only supports a single SFTP group.

Describe the solution you'd like
Ideally, I'd a hash where each element would correspond to a group and have the related configurations beneath it. For backwards compatibility, it could be something like default['ssh-hardening']['ssh']['server']['sftp']['extra-groups'] which defaults to nil and is appended to the main group config. So, for example, the attributes would be:

default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['chroot'] = '/home/%u'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['password_authentication'] = true
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['chroot'] = '/home'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['password_authentication'] = false
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['authorized_keys_file'] = '/path'

would create the config:

Match Group group1
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        PasswordAuthentication yes
        ...
 
Match Group group2
        ChrootDirectory /home
        ForceCommand internal-sftp
        PasswordAuthentication no
        AuthorizedKeysFile /path
        ...

Describe alternatives you've considered
I've considered as a workaround disabling SFTP in the attributes and using the generic "extras" config to manually place all of the config necessary for SFTP. I've yet to test this, but it is not ideal because it creates additional burden to maintain and secure that config and could break with future versions of the cookbook.
@chris-rock
Copy link
Member

@sean-nixon It sounds right to me to add support for deeper sftp configuration. As you suggested, we should keep it backwards compatible. Any PRs to make it happen are welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chris-rock @artem-sidorenko @sean-nixon