sto3_sftp
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | |||
|
sto3_sftp [2018/06/11 13:51] jpe |
sto3_sftp [2022/09/03 00:35] (current) 172.18.0.11 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== SFTP ====== | + | sdqdsq |
| - | We can provide SFTP access for external users (partners) to download/upload files. Best is to create a normal user via the provided scripts [[sto3_user_administration|User administration]], and modify the bash of this user to **mysecureshell**. The goal of MySecureShell is to offer the power and security of OpenSSH, with enhanced features (like ACL) to restrict connected users. For more documentation see [[https://mysecureshell.readthedocs.io/en/latest/]]. To modify the assigned shell of a created user (bash) , you can use smbldap-usermod. Example: | + | |
| - | <code> | + | |
| - | root@sto3:~# smbldap-usermod -s /usr/bin/mysecureshell xre | + | |
| - | root@sto3:~# ldapsearch -x uid=xre loginShell | + | |
| - | # extended LDIF | + | |
| - | # | + | |
| - | # LDAPv3 | + | |
| - | # base <dc=visielab,dc=be> (default) with scope subtree | + | |
| - | # filter: uid=xre | + | |
| - | # requesting: loginShell | + | |
| - | # | + | |
| - | + | ||
| - | # xre, People, visielab.be | + | |
| - | dn: uid=xre,ou=People,dc=visielab,dc=be | + | |
| - | loginShell: /usr/bin/mysecureshell | + | |
| - | + | ||
| - | # search result | + | |
| - | search: 2 | + | |
| - | result: 0 Success | + | |
| - | + | ||
| - | # numResponses: 2 | + | |
| - | # numEntries: 1 | + | |
| - | </code> | + | |
| - | + | ||
| - | The configuration of mysecureshell is located in the same directory as **ssh** , **/etc/ssh/sftp_config**. Don't forget to change some default values, e.g. the bandwidth limit for downloads is standaard 5k, which is quite low of course. | + | |
| - | <code> | + | |
| - | <Default> | + | |
| - | GlobalDownload 50m #total speed download for all clients | + | |
| - | # o -> bytes k -> kilo bytes m -> mega bytes | + | |
| - | GlobalUpload 0 #total speed download for all clients (0 for unlimited) | + | |
| - | # Download 5k #limit speed download for each connection | + | |
| - | Download 0 #limit speed download for each connection | + | |
| - | Upload 0 #unlimit speed upload for each connection | + | |
| - | StayAtHome true #limit client to his home | + | |
| - | VirtualChroot true #fake a chroot to the home account | + | |
| - | LimitConnection 10 #max connection for the server sftp | + | |
| - | LimitConnectionByUser 3 #max connection for the account | + | |
| - | LimitConnectionByIP 3 #max connection by ip for the account | + | |
| - | Home /data/home/$USER #overrite home of the user but if you want you can use | + | |
| - | # environment variable (ie: Home /home/$USER) | + | |
| - | IdleTimeOut 5m #(in second) deconnect client is idle too long time | + | |
| - | ResolveIP true #resolve ip to dns | + | |
| - | # IgnoreHidden true #treat all hidden files as if they don't exist | + | |
| - | # DirFakeUser true #Hide real file/directory owner (just change displayed permissions) | + | |
| - | # DirFakeGroup true #Hide real file/directory group (just change displayed permissions) | + | |
| - | # DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions) | + | |
| - | #Add execution right for directory if read right is set | + | |
| - | HideNoAccess true #Hide file/directory which user has no access | + | |
| - | # MaxOpenFilesForUser 20 #limit user to open x files on same time | + | |
| - | # MaxWriteFilesForUser 10 #limit user to x upload on same time | + | |
| - | # MaxReadFilesForUser 10 #limit user to x download on same time | + | |
| - | DefaultRights 0640 0750 #Set default rights for new file and new directory | + | |
| - | # MinimumRights 0400 0700 #Set minimum rights for files and dirs | + | |
| - | + | ||
| - | ShowLinksAsLinks false #show links as their destinations | + | |
| - | # ConnectionMaxLife 1d #limits connection lifetime to 1 day | + | |
| - | + | ||
| - | # Charset "ISO-8859-15" #set charset of computer | + | |
| - | </Default> | + | |
| - | </code> | + | |
| - | + | ||
| - | ====== disable/lock/unlock a user ====== | + | |
| - | <code> | + | |
| - | smbldap-usermod -L <username> | + | |
| - | </code> | + | |
| - | To enable this user again, you also have to set (or reset ) the password for that user | + | |
| - | <code> | + | |
| - | smbldap-usermod -U <username> | + | |
| - | smbldap-usermod -P <username> | + | |
| - | New password: | + | |
| - | Retype new password: | + | |
| - | </code> | + | |
| - | + | ||
sto3_sftp.txt · Last modified: 2022/09/03 00:35 by 172.18.0.11
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
