SSH+SFTP restricted authorizations

stephdl · January 24, 2020, 7:04pm

we have something ready to be tested… please jump in it

davidep · January 27, 2020, 2:43pm

It seems the SSH+SFTP and Cockpit access is working well. We can release this bundle with the new ShellOverrideStatus prop at disabled, so that existing systems are not affected. In this period of hidden “beta” we can complete the chroot part.

Next steps could be

Design and add the SFTP chroot feature
Show a checkbox in the UI, so it’s easy to upgrade to the new behavior. Add documentation to the admin’s manual
Switch the default prop value to enabled in NS 7.8

What do you think?

stephdl · January 27, 2020, 3:44pm

For what I tested it is not so simple, it was not really a goal, so I did not loose much time on it, but in short if you chroot the user to sftp, then the ssh is broken because /bin/bash is no more in the path ( failed to run command ‘/bin/bash’: No such file or directory ). You have some tricks to make it available, but it is a matter to copy libraries to /var/lib/nethserver/home.
To be honest I am not a big fan

agreed

davidep · January 29, 2020, 10:15am

A first bundle of the new features was released! See Group-based access restriction for Cockpit and SSH · Issue #6029 · NethServer/dev · GitHub

With the upgraded packages it is possible to preview the new system behavior with the following commands (see README)

do not run in production!

config setprop sssd ShellOverrideStatus enabled
signal-event nethserver-sssd-save

Next step is:

stephdl · January 29, 2020, 11:06am

where is the best place for this checkbox :-?

davidep · January 29, 2020, 11:08am

I need a Belgian beer and @giacomo, @edoardo_spadoni to answer this question

stephdl · January 29, 2020, 11:09am

I need a new angel to watch me at bruxels, last year it was @Sebastian, the night was fun, but it was hard sunday morning

giacomo · January 29, 2020, 1:10pm

I’d say the Settings page, which is like a trash bin

stephdl · January 29, 2020, 1:32pm

Yes, it could be easy to find and code it, even if it is not there I could think to find it. From my point of view, the user/group menu could be a better place

Either the modal of the edit the account provider or maybe a checkbox directly in the page menu

pike · January 29, 2020, 1:53pm

Why not in SSH?
Or SFTP do not change port when SSH port is changed?

stephdl · January 29, 2020, 2:01pm

In fact we introduced a new prop under sssd to force the shell of users to /bin/bash, like this any users could login to cockpit/ssh. For security reasons we also introduce a ssh and cockpit AllowsGroups and restrict who is able to connect

so the question now is where to expose the sssd prop checkbox

davidep · February 27, 2020, 9:36pm

I agree. The checkbox just need to be there and checked one time, to upgrade to the new system behavior. New ns 7.8 installations will receive it as default setting.

Meanwhile your latest enhancements were released

davidep · February 27, 2020, 9:39pm

I’ve installed it on three production servers and it’s perfect!

Great job @stephdl

davidep · September 7, 2020, 7:43am

A post was split to a new topic: SFTP chroot howto