johanmeiring / ansible-sftp Goto Github PK
View Code? Open in Web Editor NEWSFTP server role for Ansible
License: MIT License
SFTP server role for Ansible
License: MIT License
Since this PR, we have been having an issue where this role is now modifying the entire /home directory instead of just the SFTP user's home directory.
e735362#diff-2cb1ad4f3eb0ea704c74a73689ad1654
- name: install-sftp
include_role:
name: johanmeiring.sftp-server
vars:
- sftp_allow_passwords: true
- sftp_enable_logging: true
- sftp_users:
- name: Default
password: # passpass
shell: False
home: /home/Default
sftp_directories:
- { name: uploads, mode: 700 }
results in:
drwxr-x---. 7 root sftpusers 95 Sep 17 16:38 home
When setting chrooted sftp_users with shell: false
, the users are created with the /sbin/nologin
shell to prevent any access but SFTP. (see main.yml, line 54)
shell: "{{ None if (item.shell | default(True)) else '/sbin/nologin' }}"
However on my Ubuntu 16.04 system, the correct "no login" shell is actually /usr/sbin/nologin
. Since /sbin/nologin
did not exist, the user session could not start up, and I got a misleading message saying authentication failed.
Manually changing this value to /usr/sbin/nologin
solved this access problem.
This role tries to install the libsemanage-python
on CentOS 8. But there is no such package for that release. Instead you should use python3-libsemanage
.
However, i dont really think its this role's responsibility to ensure the necessary package is installed. I'm fine with managing that myself, which would add greater flexibility on which distributions this is deployed. From what i can tell. It seems that the package
task is the only one limiting which OS's this can be deployed against anyway.
Hi,
I've been getting this error:
fatal: [local]: FAILED! => {"msg": "template error while templating string: expected token ',', got 'integer'. String: {{ item.mode | default(0750) }}"}
out of no where when creating new SFTP instances.
I think it's related to the default file mode
as I was able to make the error go away after re-running with quotes around the number. (default('0750')
)
Versions:
ansible 2.10.9
config file = None
configured module search path = ['/home/matt_kizaric/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.7/dist-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.7.3 (default, Jan 22 2021, 20:04:44) [GCC 8.3.0]
I'm running debian-10 on GCP if that makes any difference. Would you like me to open a PR to fix the template?
I would like to be able to change the home directory of my user (https://github.com/johanmeiring/ansible-sftp/blob/master/tasks/main.yml#L59) in order to chroot into existing directory instead of having all under sftp_home_partition.
Would it be possible to have by default sftp_home or item.home if defined
The regular expression used to find the existing Subsystem sftp
entry is dangerous. You should probably change it to
regexp="^Subsystem(\s+)sftp
That way, it will find the line regardless of how much whitespace is in the line. Otherwise, if the current line had, say, a tab between Subsystem
and sftp
, it would insert a new line, and the ssh
service would fail to restart because of multiple sftp
Subsystem
s defined in the config file, potentially locking you completely out of the server.
libsemanage-python
is a centos package,
in ubuntu, it should bepython-semanage
.
Hi,
What do you think about adding multiple additional groups to the users instead of a single one with sftp_group_name
? in my case, the users being added with this role must have write access to different existing directories owned by different groups. Making this role add multiple groups would be better than modifying the added users after the role is run to add the extra groups, like this:
tasks:
- name: Modify users and add them to additional groups
user: name={{ item }}
groups=www-data,systemd-journal,systemd-network
append=yes
with_items:
- sftp_users
A task similar to that one could be used, and maybe renaming sftp_group_name
to sftp_group_names
, WDYT ?
Since you are maintaining this role, I wonder if you are using a specific SSH hardening role that would be compatible with it?
For most of my machines, I use https://github.com/dev-sec/ansible-ssh-hardening, which completely rewrites the sshd config, and most roles I've found do the same.
As such, using ansible-sftp
with it will mean that the first role will erase the SFTP setup that your role provide, then your role will set it up again, generating changes during the run.
Do you have any suggestion of hardening role for which this wouldn't happen?
Thanks! (happy to create a little documentation PR later if there is something worth sharing).
this role require selinux, but does not config selinux for users.
can you add script to enable selinux?
See merge request #5. Notably, consider the behaviour of ""
as a password string.
I only recently became aware of https://docs.ansible.com/ansible/blockinfile_module.html. This issue serves as a reminder to myself to investigate using it as an alternative to the current method of creating content in the .sshd_config
file.
What I want is sftp user will use a different port to connect (currently is default port: 22).
What should I do in this case?
Hi
I'm running a playbook based on the example playbook but it is not creating the sub directoreis for the user home directory (incoming, etc...)
TASK: [SFTP-Server | Create directories] ************************************** skipping: [XXXXXXX.eu-west-1.compute.amazonaws.com]
example playbook shown below; Am I missing something?
thanks
paul
vars:
- sftp_users:
- name: test_user
password: "$1$salt$XXXXXX"
authorized: []
sftp_allow_passwords: true
- sftp_directories:
- imports
- exports
As i see, when I specify :
sftp_start_directory
: "/datadrive"
sftp_directories
: "/datadrive/error"
It is creating directories at "/home/user/datadrive/error"
what i want is creating directories at "/datadrive/error"
What should I do to deal with it?
I would like newly-created directories to be group-writable (0770 permissions). Passing the -u
argument to the internal-sftp
command can accomplish this, but this module has no mechanism to configure this and other arguments to the daemon. I would be happy to submit a PR for this.
Hi !
We used to use this role exclusively on localhost
and, while I was trying to migrate to execute it on multiple servers (one 'server' and multiple 'clients') I found out I couldn't due to the use of a lookup, which only executes on the host executing the ansible script, and therefore cannot find the files who have been created on the clients.
I've created a workaround using slurp, but I was wondering if it was me who misunderstood how to use this module ? I'll create a PR if this is not the case.
Thanks,
Hi,
I'm testing your role but it seems that the user chroot is not working. I copy pasted the example in the README file, and after logging in with the user sally I can see the contents of the root directory:
$ sftp -i ~/.ssh/id_rsa [email protected]
Connected to xxx.xxx.xxx.xxx
sftp> pwd
Remote working directory: /var/tmp/sally
sftp> cd /
sftp> ls
bin boot dev etc home initrd.img initrd.img.old lib lib64 lost+found media
mnt opt proc root run sbin snap srv sys tmp usr
var vmlinuz vmlinuz.old
Does it work for you ?
Hello,
Regarding the password hash the Readme states "A password hash for the user to login with" and the example given is:
password: "$1$salty$li5TXAa2G6oxHTDkqx3Dz/" # passpass
What are the commands to create compatible hashes from user chosen passwords so that they can be documented and added to the Readme?
Thanks,
Thanks for this role again! I'm writing down this issue on a new deployment, maybe I'll come back to fix it later here.
If you run with --diff --check
before the deploy has been done, you will get an error similar to:
TASK [johanmeiring.sftp-server : SFTP-Server | Correct ownership and permission of home directories] **************
# SNIP
"msg": file (/home/user) is absent, cannot continue
HI. Will be this feature added for example to /var/www/example.com/uploads?
or what should I do to add it in own task?
on line https://github.com/johanmeiring/ansible-sftp/blob/master/tasks/main.yml#L64 the setting probably should be 0770
, if not the user cannot create new files and folders. Correct or am I doing something wrong? thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.