sftp server ^#4

By chris.sanders
stable

Supports: bionic xenial

Add to new model

Description

Configures sftp access with chroot and no shell access for users

Series:
bionic ›
xenial ›

Tags:
misc ›

Overview

This charm provides a simple sftp server via openssh. The users are restricted to sftp (no shell) access and a chroot is setup. Configured directories are then mounted into the chroot for the user so their access is limited to only the specified folders.

Usage

This charm doesn't currently have any interfaces and deployment is fairly straight forward.

juju deploy sftp-server

After deployment configure the server for users and mounts.

Scale out Usage

No current allowance for scale out usage, if you want to run this behind HAProxy for tcp load balancing, that's probably fairly easy to add contact the charm author to discuss use cases.

Known Limitations and Issues

The mount points are only allowed to be used one time each in fstab, meaning a source location can not be mounted into multiple chroot environments. This is actually a limitation of the charmhelpers library but if you have a use case for it, fixing in charmhelpers would remove the limitation.

Configuration

The sftp-config option follows the following format

,:,;

After the ';' you repeat the pattern for additional users.

Contact Information

Upstream Project Name

Code: https://github.com/chris-sanders/layer-sftp-server
Bug tracking: https://github.com/chris-sanders/layer-sftp-server/issues
Contact information: sanders.chris@gmail.com

Configuration

sftp-chown-mnt: (boolean) Attempt to chown to the user after mounting into the chroot; True
sftp-config: (string) user,path:name,path:name;user,path:name,path:name
sftp-password-auth: (boolean) Allow password authentication; True
system-additional-groups: (string) Comma separated list of groups to create. User accounts will not be created
system-additional-users: (string) Comma separated list of users to create. Groups with the same name will be created.
system-gidmap: (string) Ensure the provided groups, comma separated, have the GID specified after '='. e.g. ubuntu=1000,storage=1001
system-group-membership: (string) Ensure the users provided, comma separated, are members of the provided groups, colon separated, following '='. e.g. ubuntu=sudo:wheel,storage=storage,sudo
system-uidmap: (string) Ensure the provided users, comma separated, have the UID specified after '='. e.g. ubuntu=1000,storage=1001