Thu Aug 16, 2018 7:04 am
Login Register Lost Password? Contact Us

Setting-up a JAILED SFTP server on your landing zone

Post questions specific to installation or configuration for the HPCC Systems platform

Mon Jul 25, 2016 5:38 pm Change Time Zone

You may have people you want to place data on your landing zone; but, you don't want them to access any other part of your system. A JAILED SFTP server is the answer.

What does JAILED SFTP mean?

It means that each SFTP user has access to ONE AND ONLY ONE DIRECTORY.

This post shows you how setup SFTP server on your landing zone where each user has access to ONE AND ONLY ONE directory on the landing zone.

The instructions given below are bash commands executed on the linux box of your landing zone. If you need additional help with these commands, don't hesitate to post.

Code: Select all
#1. Create a new group on the landing zone instance that will be used by SFTP.
sudo groupadd sftponly

#2. For each SFTP user do the following:

  # Make user's landing zone directory
  sudo mkdir -p $NEWUSERHOME
  # Add user specifying his home directory, that he is in the group sftponly and that he has no login script (i.e. he can't login).
  sudo useradd -d $NEWUSERHOME -G sftponly -s /bin/false $NEWUSER

  # Add user's password to password file
  echo $PASSWORD |sudo  passwd --stdin $NEWUSER

  #Check to make sure the user is in the sftponly group and has a password in the password file
  grep "sftponly" /etc/group
  grep $NEWUSER /etc/passwd

#3. Make changes to the sshd configuration file, sshd_config so SFTP server is activated the next time the sshd service is started. Here are the changes you should make:
  Uncomment "Protocol 2".
  Uncomment "PasswordAuthentication yes"
  Comment   "PasswordAuthentication no"
  Comment   "Subsystem       sftp    /usr/libexec/openssh/sftp-server"
  Add       "Subsystem     sftp   internal-sftp"
  #At the end of the file, add the following lines:
  Match Group sftponly
  ChrootDirectory /var/mydropzone/%u
  X11Forwarding no
  AllowTCPForwarding no
  ForceCommand internal-sftp

# Then, save the changes you made

# And, test the configuation
sudo sshd -t
# And, restart sshd
sudo service sshd reload

#4. Setup the sub-directories, upload and download. And set permissions and owners for these sub-directories.
sudo mkdir -p /var/mydropzone/$NEWUSER/download
sudo mkdir -p /var/mydropzone/$NEWUSER/upload
sudo chmod 777 /var/mydropzone/$NEWUSER/upload
sudo chmod 777 /var/mydropzone/$NEWUSER/download
sudo chown $NEWUSER:hpcc /var/mydropzone/$NEWUSER/upload
sudo chown $NEWUSER:hpcc /var/mydropzone/$NEWUSER/download

#5. Test to use if user can SFTP into his landing zone directory
sftp $NEWUSER@<IP-of-landing-zone>  # for sftp on linux box

# If the SFTP server is working correctly, next the user will be prompted for their password. Once the user is in the service, the following command should show the 2 sub-directories: upload and download.
Posts: 250
Joined: Mon May 07, 2012 6:23 pm

Wed Aug 10, 2016 8:33 pm Change Time Zone

Tim, this is nice! We should FAQ or Wiki this!
Community Advisory Board Member
Community Advisory Board Member
Posts: 975
Joined: Wed Jun 29, 2011 7:13 pm

Return to Installation

Who is online

Users browsing this forum: No registered users and 1 guest