Failed to generate image: blockdiag failed: ERROR: 'ImageDraw' object has no attribute 'textsize' blockdiag { default_shape = roundedbox; // Set labels to nodes. A1 [shape = actor,label = "USER1", numbered = 1]; B [label = "SSHD", numbered = 2]; C [label = "SSHD_CONFIG", numbered = 3]; D [label = "/data/sftp_group_1/USER1" , numbered = 4]; E [label = "UMASK 0007" , numbered = 5]; F [label = "Default Folder /upload under chroot", numbered = 6]; // Set labels to edges. (short text only) A1 -> B [label = "SFTP"]; B <- C [label = "read"]; B -> D [label = "chroot"]; B -> E [label = "set"]; B -> F [label = "move"]; group { label = "SSHD Match Group"; orientation = portrait D -> E -> F; } }
Objectives
Deliver secured resources access to a Linux server through SFTP.
SFTP accounts will only have access to allowed resource.
An administrator account will be able to manage user accounts.
Target User mode diagram
Target Admin mode diagram
Failed to generate image: blockdiag failed: ERROR: 'ImageDraw' object has no attribute 'textsize' blockdiag { default_shape = roundedbox; // Set labels to nodes. A1 [shape = actor,label = "USER1", numbered = 1]; A2 [shape = actor,label = "USER2", numbered = 1]; B [label = "SSHD", numbered = 2]; C [label = "SSHD_CONFIG", numbered = 3]; D [label = "/data/sftp_group_1/%u" , numbered = 4]; E [label = "UMASK 0007" , numbered = 5]; F [label = "Default Folder /upload under chroot", numbered = 6]; // Set labels to edges. (short text only) A1 -> B [label = "SFTP"]; A2 -> B [label = "SFTP"]; B <- C [label = "read"]; B -> D [label = "chroot"]; B -> E [label = "set"]; B -> F [label = "move"]; group { label = "SSHD Match Group"; orientation = portrait D -> E -> F; } }
Controls
SFTP activation in SSHD control
[root@server /]# cat /etc/ssh/sshd_config
....
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Directory tree creation
mkdir -p /directory
chmod 700 /directory
Example:
[root@server /]# mkdir -p /data/sftp_group_1
[root@server /]# chmod 700 /data
SFTP user and group creation
groupadd sftp_group_1 // (1)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER1 // (2)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER2 // (3)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER3 // (4)
useradd -g sftp_group_1 -d / -s /sbin/nologin USER4 // (5)
User created group name ownership.
-g : Ownership group for user USER1 / -d Profil path / -s connxion shell ⇒ none
-g : Ownership group for user USER2 / -d Profil path / -s connxion shell ⇒ none
-g : Ownership group for user USER3 / -d Profil path / -s connxion shell ⇒ none
-g : Ownership group for user USER4 / -d Profil path / -s connxion shell ⇒ none
Created user password setup
passwd USER1
passwd USER2
passwd USER3
passwd USER4
SFTP user config file check-up
cat /etc/passwd
....
USER1:x:1002:1002::/:/sbin/nologin
USER2:x:1003:1002::/:/sbin/nologin
USER3:x:1004:1002::/:/sbin/nologin
USER4:x:1005:1002::/:/sbin/nologin
User defauklt directory tree creation
mkdir -p /data/sftp_group_1/USER2/upload // (1)
chown -R root:root /data/sftp_group_1/USER2 // (2)
chown -R USER2:sftp_users /data/sftp_group_1/USER2/upload // (3)
chmod 770 /data/sftp_group_1/USER2/upload // (4)
mkdir -p /data/sftp_group_1/USER1/upload // (1)
chown -R root:root /data/sftp_group_1/USER1 // (2)
chown -R USER1:sftp_users /data/sftp_group_1/USER1/upload // (3)
chmod 770 /data/sftp_group_1/USER1/upload // (4)
mkdir -p /data/sftp_group_1/USER3/upload // (1)
chown -R root:root /data/sftp_group_1/USER3 // (2)
chown -R USER3:sftp_users /data/sftp_group_1/USER3/upload // (3)
chmod 770 /data/sftp_group_1/USER3/upload // (4)
mkdir -p /data/sftp_group_1/USER4/upload // (1)
chown -R root:root /data/sftp_group_1/USER4 // (2)
chown -R USER4:sftp_users /data/sftp_group_1/USER4/upload // (3)
chmod 770 /data/sftp_group_1/USER4/upload // (4)
User home directory creation, accessibilty R/W.
Rights setup to root:root on chrooted user root folder.
Rights setup to $COMPTE$:sftp_users on chrooted user folder.
Affectation des droits au répertoire à l’utilisateur et au groupe d’appartenance dans lequel l’utilisateur associé à la société pourra lire et écrire.
SFTP Admin account setup
[root@server sftp]# useradd -g sftp_users -d / -s /sbin/nologin SFTP_ADM // (1)
[root@server sftp]# cat /etc/passwd
...
SFTP_ADM:x:1006:1002::/:/sbin/nologin
-g : Groupe d’appartenance du compte SFTP_ADM / -d Chemin du profil / -s shell de connxion ⇒ aucun
SSHD setup
[root@server sftp]# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.sav
[root@server sftp]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server // (1)
## Add umask to U+G none to Others
Subsystem sftp internal-sftp -u 0007 // (2)
IgnoreRhosts yes
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
PubkeyAuthentication yes
#RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# A placer avant le test sur le groupe si le user appartient au groupe sftp_users
# SSHD lit la config dans l'ordre d apparition....
Match User SFTP_ADM // (3)
ChrootDirectory /data/sftp_group_1 // (4)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 // (5)
Match Group sftp_users // (6)
ChrootDirectory /data/sftp/%u // (7)
## Add umask to U+G none to Others
ForceCommand internal-sftp -u 0007 -d /upload // (8)
Désactivation server SFTP par défaut
Activation serveur SFTP intégré à sshd
Bloc concernant le compte SFTP_ADM
Chroot du compte SFTP_ADM vers /data/sftp_group_1
Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond Ă 770)
Bloc concernant les membres du groupe sftp_users
Chroot des membres du groupe sftp_users vers /data/sftp/%u (%u est une variable pour le nom d’utilisateur)
Obligation du SFTP uniquement et changement du UMASK vers 0007 (correspond à 770) et déplacement automatique dans le répertoire upload
SSHD restart and controls
systemctl restart sshd
systemctl status sshd
Author:
