johanmeiring / ansible-sftp Goto Github PK

Since this PR, we have been having an issue where this role is now modifying the entire /home directory instead of just the SFTP user's home directory.

e735362#diff-2cb1ad4f3eb0ea704c74a73689ad1654

- name: install-sftp
  include_role: 
    name: johanmeiring.sftp-server
  vars:
    - sftp_allow_passwords: true
    - sftp_enable_logging: true
    - sftp_users:
      - name: Default
        password: # passpass
        shell: False
        home: /home/Default
        sftp_directories: 
          - { name: uploads, mode: 700 }

results in:
drwxr-x---. 7 root sftpusers 95 Sep 17 16:38 home

When setting chrooted sftp_users with shell: false, the users are created with the /sbin/nologin shell to prevent any access but SFTP. (see main.yml, line 54)

    shell: "{{ None if (item.shell | default(True)) else '/sbin/nologin' }}"

However on my Ubuntu 16.04 system, the correct "no login" shell is actually /usr/sbin/nologin. Since /sbin/nologin did not exist, the user session could not start up, and I got a misleading message saying authentication failed.

Manually changing this value to /usr/sbin/nologin solved this access problem.

This role tries to install the libsemanage-python on CentOS 8. But there is no such package for that release. Instead you should use python3-libsemanage.

However, i dont really think its this role's responsibility to ensure the necessary package is installed. I'm fine with managing that myself, which would add greater flexibility on which distributions this is deployed. From what i can tell. It seems that the package task is the only one limiting which OS's this can be deployed against anyway.

Hi,

I've been getting this error:
fatal: [local]: FAILED! => {"msg": "template error while templating string: expected token ',', got 'integer'. String: {{ item.mode | default(0750) }}"}

out of no where when creating new SFTP instances.
I think it's related to the default file mode
as I was able to make the error go away after re-running with quotes around the number. (default('0750'))

Versions:

ansible 2.10.9
  config file = None
  configured module search path = ['/home/matt_kizaric/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.7.3 (default, Jan 22 2021, 20:04:44) [GCC 8.3.0]

I'm running debian-10 on GCP if that makes any difference. Would you like me to open a PR to fix the template?

I would like to be able to change the home directory of my user (https://github.com/johanmeiring/ansible-sftp/blob/master/tasks/main.yml#L59) in order to chroot into existing directory instead of having all under sftp_home_partition.

Would it be possible to have by default sftp_home or item.home if defined

The regular expression used to find the existing Subsystem sftp entry is dangerous. You should probably change it to

regexp="^Subsystem(\s+)sftp

That way, it will find the line regardless of how much whitespace is in the line. Otherwise, if the current line had, say, a tab between Subsystem and sftp, it would insert a new line, and the ssh service would fail to restart because of multiple sftp Subsystems defined in the config file, potentially locking you completely out of the server.

libsemanage-python is a centos package,
in ubuntu, it should bepython-semanage.

Hi,

What do you think about adding multiple additional groups to the users instead of a single one with sftp_group_name ? in my case, the users being added with this role must have write access to different existing directories owned by different groups. Making this role add multiple groups would be better than modifying the added users after the role is run to add the extra groups, like this:

  tasks:
    - name: Modify users and add them to additional groups
      user: name={{ item }}
            groups=www-data,systemd-journal,systemd-network
            append=yes
      with_items:
        - sftp_users

A task similar to that one could be used, and maybe renaming sftp_group_name to sftp_group_names, WDYT ?

Since you are maintaining this role, I wonder if you are using a specific SSH hardening role that would be compatible with it?

For most of my machines, I use https://github.com/dev-sec/ansible-ssh-hardening, which completely rewrites the sshd config, and most roles I've found do the same.

As such, using ansible-sftp with it will mean that the first role will erase the SFTP setup that your role provide, then your role will set it up again, generating changes during the run.

Do you have any suggestion of hardening role for which this wouldn't happen?

Thanks! (happy to create a little documentation PR later if there is something worth sharing).

this role require selinux, but does not config selinux for users.
can you add script to enable selinux?

See merge request #5. Notably, consider the behaviour of "" as a password string.

I only recently became aware of https://docs.ansible.com/ansible/blockinfile_module.html. This issue serves as a reminder to myself to investigate using it as an alternative to the current method of creating content in the .sshd_config file.

What I want is sftp user will use a different port to connect (currently is default port: 22).

What should I do in this case?

Hi

I'm running a playbook based on the example playbook but it is not creating the sub directoreis for the user home directory (incoming, etc...)

TASK: [SFTP-Server | Create directories] ************************************** skipping: [XXXXXXX.eu-west-1.compute.amazonaws.com]

example playbook shown below; Am I missing something?

thanks
paul

vars:
    - sftp_users:
      - name: test_user
        password: "$1$salt$XXXXXX"
        authorized: []
        sftp_allow_passwords: true
    - sftp_directories:
      - imports
      - exports 

As i see, when I specify :
sftp_start_directory: "/datadrive"
sftp_directories : "/datadrive/error"

It is creating directories at "/home/user/datadrive/error"
what i want is creating directories at "/datadrive/error"

What should I do to deal with it?

I would like newly-created directories to be group-writable (0770 permissions). Passing the -u argument to the internal-sftp command can accomplish this, but this module has no mechanism to configure this and other arguments to the daemon. I would be happy to submit a PR for this.

Hi !
We used to use this role exclusively on localhost and, while I was trying to migrate to execute it on multiple servers (one 'server' and multiple 'clients') I found out I couldn't due to the use of a lookup, which only executes on the host executing the ansible script, and therefore cannot find the files who have been created on the clients.

I've created a workaround using slurp, but I was wondering if it was me who misunderstood how to use this module ? I'll create a PR if this is not the case.

Thanks,

Hi,

I'm testing your role but it seems that the user chroot is not working. I copy pasted the example in the README file, and after logging in with the user sally I can see the contents of the root directory:

$ sftp -i ~/.ssh/id_rsa [email protected]
Connected to xxx.xxx.xxx.xxx
sftp> pwd
Remote working directory: /var/tmp/sally
sftp> cd /
sftp> ls
bin              boot             dev              etc              home             initrd.img       initrd.img.old   lib              lib64            lost+found       media            
mnt              opt              proc             root             run              sbin             snap             srv              sys              tmp              usr              
var              vmlinuz          vmlinuz.old

Does it work for you ?

Hello,

Regarding the password hash the Readme states "A password hash for the user to login with" and the example given is:

password: "$1$salty$li5TXAa2G6oxHTDkqx3Dz/" # passpass

What are the commands to create compatible hashes from user chosen passwords so that they can be documented and added to the Readme?

Thanks,

Thanks for this role again! I'm writing down this issue on a new deployment, maybe I'll come back to fix it later here.

If you run with --diff --check before the deploy has been done, you will get an error similar to:

TASK [johanmeiring.sftp-server : SFTP-Server | Correct ownership and permission of home directories] **************
# SNIP
"msg": file (/home/user) is absent, cannot continue

HI. Will be this feature added for example to /var/www/example.com/uploads?
or what should I do to add it in own task?

on line https://github.com/johanmeiring/ansible-sftp/blob/master/tasks/main.yml#L64 the setting probably should be 0770, if not the user cannot create new files and folders. Correct or am I doing something wrong? thanks.