SFTP login / template-custom ssh

e-smith
v7

(Douglas Nogueira) #1

**NethServer Version: 7.5
Module: SSHD

Good Morning!

I need to change the sshd_config so that I can authenticate users using internal sftp. I created a template-custom for this but it did not work, I want to see what I might have done wrong.

I created it as follows:
sshd_config custom -> /etc/e-smith/templates-custom/etc/ssh/sshd_config/sshd.config/80ssh

after that I ran expland-template /etc/ssh/sshd_config

At first it had been ok, but when restarting the server the sshd_config file returned to the original.

The initial goal of all this is to be able to authenticate users in the shell using sftp, since I currently own a server that does this and would like to use the same format in Nethserver.


(Filippo Carletti) #2

The correct path for the custom template should be:

/etc/e-smith/templates-custom/etc/ssh/sshd_config/80xxx

If you have problems, please, give us all the details (i.e. the config of the old server), thank you.


(Douglas Nogueira) #3

Thank @filippo_carletti , it worked!

But there is still a problem kk
With the template I added a new fragment to the sshd_config configuration, however I needed to do a complete override of the original config with the config that I inserted into the custom template.

Is there any way of totally original replacement?


(Eddie Atherton) #4

Create files in the templates-custom directories with the exact same names as in templates. That way they will be used instead of the originals.

Cheers.


(Markus Neuberger) #5

I just want to add that you should avoid to override original templates with templates-custom because if original templates are updated by software update, the template updates are not applied and that may lead to errors or security problems.

In the case of sshd_config it seems not possible to not override it but please post your custom template(s), maybe we find another solution.

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html#how-to-resolve-conflicts-with-standard-templates


(Douglas Nogueira) #6

@mrmarkuz Below is the configuration file, I have manually commented the original part of sshd_config, below is the configuration that I use on my old CentOS 6 server.

In my scenario I have clients that connect using normal FTP port 21 and others that connect via SFTP port 22, so I need this configuration in the sshd_config file. With the manual change everything works perfectly, I can use vsftpd for FTP and SFTP with local system users.

# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
#Port 22
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
#HostKey /etc/ssh/ssh_host_rsa_key
#LoginGraceTime 2m
#Protocol 2
#UsePAM yes
#ChallengeResponseAuthentication no

#MaxAuthTries 6
#MaxStartups 10:30:60
#PasswordAuthentication yes
#PermitRootLogin yes

#UsePrivilegeSeparation sandbox
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
#X11Forwarding yes
#ClientAliveInterval 60
#ClientAliveCountMax 3


# Cipher selection 2018-03-30
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
#KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

##################################################################
Port 22
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
ChrootDirectory /home
Subsystem       sftp    internal-sftp

(Markus Neuberger) #7

It seems to be possible, there’s a db property to disable the sftp subsystem.

config setprop sshd SubsystemSftp no

Create a custom template:

mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config/

Create /etc/e-smith/templates-custom/etc/ssh/sshd_config/80Custom with following content:

# Custom settings
SyslogFacility AUTHPRIV
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
ChrootDirectory /home
Subsystem       sftp    internal-sftp

Expand the template and restart sshd:

expand-template /etc/ssh/sshd_config
systemctl restart sshd

I could login via sftp and got chrooted to /home. Are you sure you need the SyslogFacility, GSSAPI and AcceptEnv settings?


(Douglas Nogueira) #8

It worked, thanks @mrmarkuz :smiley:

I made some tests here and I do not need these options (SyslogFacility, GSSAPI and AcceptEnv), I left out the configuration.

Thank you very much for your attention and help.


(Markus Neuberger) #9

You’re welcome. Please mark the solution to help others to find it more easily.