sftp server #4
Description
Configures sftp access with chroot and no shell access for users
- Tags:
- misc ›
Overview
This charm provides a simple sftp server via openssh. The users are restricted to sftp (no shell) access and a chroot is setup. Configured directories are then mounted into the chroot for the user so their access is limited to only the specified folders.
Usage
This charm doesn't currently have any interfaces and deployment is fairly straight forward.
juju deploy sftp-server
After deployment configure the server for users and mounts.
Scale out Usage
No current allowance for scale out usage, if you want to run this behind HAProxy for tcp load balancing, that's probably fairly easy to add contact the charm author to discuss use cases.
Known Limitations and Issues
The mount points are only allowed to be used one time each in fstab, meaning a source location can not be mounted into multiple chroot environments. This is actually a limitation of the charmhelpers library but if you have a use case for it, fixing in charmhelpers would remove the limitation.
Configuration
The sftp-config option follows the following format
After the ';' you repeat the pattern for additional users.
Contact Information
Upstream Project Name
- Code: https://github.com/chris-sanders/layer-sftp-server
- Bug tracking: https://github.com/chris-sanders/layer-sftp-server/issues
- Contact information: sanders.chris@gmail.com
Configuration
- sftp-chown-mnt
- (boolean) Attempt to chown to the user after mounting into the chroot
- True
- sftp-config
- (string) user,path:name,path:name;user,path:name,path:name
- sftp-password-auth
- (boolean) Allow password authentication
- True
- system-additional-groups
- (string) Comma separated list of groups to create. User accounts will not be created
- system-additional-users
- (string) Comma separated list of users to create. Groups with the same name will be created.
- system-gidmap
- (string) Ensure the provided groups, comma separated, have the GID specified after '='. e.g. ubuntu=1000,storage=1001
- system-group-membership
- (string) Ensure the users provided, comma separated, are members of the provided groups, colon separated, following '='. e.g. ubuntu=sudo:wheel,storage=storage,sudo
- system-uidmap
- (string) Ensure the provided users, comma separated, have the UID specified after '='. e.g. ubuntu=1000,storage=1001