From dd3bef6457ee4e660e785f2e3037da8159cf83e6 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Fri, 27 Mar 2020 22:41:24 +0100 Subject: [PATCH 1/8] Remove additional auth.log when enabling logging The additional auth.log which is configured when setting sftp_enable_logging = true simply duplicates these syslog facilities: auth,authpriv.* and write the messages to the file /var/log/sftp/auth.log This duplicates the logs in multiple files and the later one is not managed by logrotate. Closes nephosolutions/ansible-role-sftp-server#1 --- tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index a59c928..0c9aa6e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -157,9 +157,6 @@ # Log internal-sftp in a separate file :programname, isequal, "internal-sftp" -/var/log/sftp/verbose.log :programname, isequal, "internal-sftp" ~ - - # additionally write an auth log - auth,authpriv.* /var/log/sftp/auth.log when: sftp_enable_logging notify: SFTP-Server | Restart rsyslog From ef7473178be449cf7fdf671ae4cb81f2e717866f Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Fri, 27 Mar 2020 22:56:23 +0100 Subject: [PATCH 2/8] Conditionally disable configuring SSHd This is particularly required, if another role is used to configure SSH on the system. Closes nephosolutions/ansible-role-sftp-server#4 --- README.md | 2 ++ defaults/main.yml | 1 + tasks/main.yml | 2 ++ 3 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 15f5fcb..4b15438 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,8 @@ The following role variables are relevant: * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) +* `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. +* `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. Notes: diff --git a/defaults/main.yml b/defaults/main.yml index ef6e45d..976490d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,3 +7,4 @@ sftp_allow_passwords: False sftp_enable_selinux_support: False sftp_enable_logging: False sftp_nologin_shell: /sbin/nologin +sftp_configure_sshd: true diff --git a/tasks/main.yml b/tasks/main.yml index 0c9aa6e..08423e7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,6 +21,7 @@ line: "Subsystem sftp internal-sftp -f AUTH -l VERBOSE" state: present notify: SFTP-Server | Restart sshd + when: sftp_configure_sshd - name: SFTP-Server | Ensure SELinux management package is present package: @@ -51,6 +52,7 @@ ForceCommand internal-sftp {{ sftp_enable_logging | ternary('-l VERBOSE', '') }} {{ (sftp_start_directory in sftp_directories or sftp_start_directory in sftp_directories | selectattr("name", "defined") | map(attribute='name') | list) | ternary('-d /' + sftp_start_directory, '') }} PasswordAuthentication {{ sftp_allow_passwords | ternary('yes', 'no') }} notify: SFTP-Server | Restart sshd + when: sftp_configure_sshd - name: SFTP-Server | Create sftp user's group group: From 2612d890061a421fd0acc35b188e21ef3eabeb60 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Fri, 27 Mar 2020 23:28:21 +0100 Subject: [PATCH 3/8] Set user login shell and directory skeleton globally Allows to set the SFTP user login shell and directory skeleton globally instead of only per user. The user settings overwrite the global ones. Closes nephosolutions/ansible-role-sftp-server#3 --- README.md | 3 ++- tasks/main.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4b15438..9487bad 100644 --- a/README.md +++ b/README.md @@ -33,13 +33,14 @@ The following role variables are relevant: * `name`: The Unix name of the user that requires SFTP access. * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used. * `password`: A password hash for the user to login with - ie `openssl passwd -1 -salt salty passpass`. Blank passwords can be set with `password: ""`. NOTE: It appears that `UsePAM yes` and `PermitEmptyPassword yes` need to be set in `sshd_config` in order for blank passwords to work properly. Making those changes currently falls outside the scope of this role and will need to be done externally. - * `shell`: Boolean indicating if the user should have a shell access (default to `True`). + * `shell`: Boolean indicating if the user should have a shell access (default to `False`). * `authorized`: An optional list of files placed in `files/` which contain valid public keys for the SFTP user. * `sftp_directories`: A list of directories that need to be individually created for an SFTP user. Defaults to a blank list (i.e. "[]"). * `append`: Boolean to add `sftp_group_name` to the user groups (if any) instead of setting it (default to `False`). * `mode`: The users home directory mode (defaults to `0750`). * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. +* `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`). * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) * `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `sftp_configure_sshd`: Boolean indicating if sshd configuration should be altered. Defaults to `true`. diff --git a/tasks/main.yml b/tasks/main.yml index 08423e7..0727f56 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,9 +68,9 @@ groups: "{{ sftp_group_name }}" append: "{{ item.append | default(False) }}" home: "{{ item.home }}" - # `None` means default value -> default is to have a shell - shell: "{{ None if (item.shell | default(True)) else sftp_nologin_shell }}" - skeleton: "{{ item.skeleton | default(omit) }}" + # `None` means default value -> default is to have no login shell + shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}" + skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}" state: present with_items: "{{ _sftp_users }}" From 3b2127894b688a107cd815942b5344d537d39ae8 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Fri, 27 Mar 2020 23:47:34 +0100 Subject: [PATCH 4/8] Add a variable for destination of the verbose SFTP log Pass the destination (file or syslog target / host) for the verbose SFTP logs as a variable. The current hard-coded setting -/var/log/sftp/verbose.log remains as default for the variable. Closes nephosolutions/ansible-role-sftp-server#2 --- README.md | 3 ++- defaults/main.yml | 1 + tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9487bad..fbff827 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,8 @@ The following role variables are relevant: * `sftp_start_directory`: A directory that need to be part of sftp_directories values and that is the start directory of new sftp connection. Disable by default with an empty string value. * `sftp_allow_passwords`: Whether or not to allow password authentication for SFTP. Defaults to False. * `sftp_enable_selinux_support`: Whether or not to explicitly enable SELinux support. Defaults to False. -* `sftp_enable_logging`: Enable logging. Auth logs will be written to `/var/log/sftp/auth.log`, and SFTP activity logs will be written to `/var/log/sftp/verbose.log`. Defaults to False. +* `sftp_enable_logging`: Enable logging; defaults to `False`. +* `sftp_logging_destination`: Rsyslogd destination for SFTP activity logs; defaults to `-/var/log/sftp/verbose.log`. * `sftp_users`: A list of users, in map form, containing the following elements: * `name`: The Unix name of the user that requires SFTP access. * `group`: An optional user primary group. If set, it will be used for the user's home permission. Otherwise, the `sftp_group_name` is used. diff --git a/defaults/main.yml b/defaults/main.yml index 976490d..8da4815 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,4 +7,5 @@ sftp_allow_passwords: False sftp_enable_selinux_support: False sftp_enable_logging: False sftp_nologin_shell: /sbin/nologin +sftp_logging_destination: -/var/log/sftp/verbose.log sftp_configure_sshd: true diff --git a/tasks/main.yml b/tasks/main.yml index 0727f56..206cc8d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -157,7 +157,7 @@ {% endfor %} # Log internal-sftp in a separate file - :programname, isequal, "internal-sftp" -/var/log/sftp/verbose.log + :programname, isequal, "internal-sftp" {{ sftp_logging_destination }} :programname, isequal, "internal-sftp" ~ when: sftp_enable_logging notify: SFTP-Server | Restart rsyslog From 779f0e198a9574d78132b8b937a6899a1c284975 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Thu, 5 Nov 2020 13:54:04 +0100 Subject: [PATCH 5/8] Optionally sets the UID of the sftp users. --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 206cc8d..893221b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -72,6 +72,7 @@ shell: "{{ None if (item.shell | default(sftp_login_shell) | default(False)) else sftp_nologin_shell }}" skeleton: "{{ item.skeleton | default(sftp_home_skeleton) | default(omit) }}" state: present + uid: "{{ item.uid | default(omit) }}" with_items: "{{ _sftp_users }}" # A working chrooted SFTP setup requires root:sftgroup ownership of a user's home directory. From e030c9edfdc38d450bdef341d5fe8aa3ae9f50d9 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Thu, 5 Nov 2020 14:24:05 +0100 Subject: [PATCH 6/8] Update documentation --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fbff827..4b5480d 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ The following role variables are relevant: * `mode`: The users home directory mode (defaults to `0750`). * `skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. * `home`: An optional home directory (e.g: /home/bob). Default to `sftp_home_partition/name`. + * `uid`: An optional UID of the sftp user. * `sftp_login_shell`: Boolean indicating if the users should have a shell access (default to `False`). * `sftp_nologin_shell`: The "nologin" user shell. (defaults to /sbin/nologin.) * `sftp_home_skeleton`: An optional home skeleton directory (e.g: /dev/null). Default to system defaults. From cb3e3c49928b31f043512d49328cfa22bbeb110a Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Mon, 8 Mar 2021 18:16:17 +0100 Subject: [PATCH 7/8] set password when creating / updating the account --- tasks/main.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 893221b..cf1ed63 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -64,6 +64,7 @@ - name: SFTP-Server | Create sftp users user: name: "{{ item.name }}" + password: "{{ item.password | default(omit) }}" group: "{{ item.group | default(omit) }}" groups: "{{ sftp_group_name }}" append: "{{ item.append | default(False) }}" @@ -103,14 +104,6 @@ - flags: skip_missing: True -# Update user passwords, if they were specified. -- name: SFTP-Server | Update user passwords - user: - name: "{{ item.name }}" - password: "{{ item.password }}" - with_items: "{{ _sftp_users }}" - when: item.password is defined - # Create directories for all SFTP users. Optional, but recommended. - name: SFTP-Server | Create directories file: From 655be506a42b19c1fc383975c82319aca9911813 Mon Sep 17 00:00:00 2001 From: Sebastian Trebitz Date: Mon, 12 Apr 2021 17:33:16 +0200 Subject: [PATCH 8/8] fix chroot permissions to work with ssh pubkey authentication --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index cf1ed63..2f928ce 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -81,7 +81,7 @@ file: path: "{{ sftp_home_partition }}" state: directory - mode: 0750 + mode: 0755 group: "{{ sftp_group_name }}" owner: root @@ -89,7 +89,7 @@ file: path: "{{ item.home }}" owner: root - group: "{{ item.group | default(sftp_group_name) }}" + group: "{{ item.group | default(item.name) }}" mode: "{{ item.mode | default(0750) }}" with_items: "{{ _sftp_users }}"