johanmeiring.sftp-server

Panoramica Versioni Approfondimenti

SFTP Server

Ansible Role Software License Build Status

This Ansible role sets up an OpenSSH server for secure SFTP access. It makes sure not to change any custom settings you might have in OpenSSH, only adjusting what is necessary.

Requirements

It is recommended to set scp_if_ssh to true in your ansible.cfg file. This is important because Ansible uses SFTP by default for file transfers, and you could accidentally lock yourself out of your server's SFTP. Using the SCP option will still work. Here’s how to set it:

; ansible.cfg
...
[ssh_connection]
scp_if_ssh=True

You only need Ansible itself, tested on versions 2.0.2.0, 2.2.2.0, and 2.3.0.0. It has been checked with Ubuntu versions 14.04 and 16.04, while other versions haven't been tested. Some initial support for RHEL has been attempted, but it's not fully supported yet.

Role Variables

Here are the main variables you can use:

  • sftp_home_partition: The location for SFTP user home directories, default is "/home".
  • sftp_group_name: The Unix group for all SFTP users, default is "sftpusers".
  • sftp_directories: A list of default directories created for SFTP users, starts as empty.
    • Values can be strings or dictionaries with name and optional mode keys.
  • sftp_start_directory: The starting directory for new SFTP connections, default is empty.
  • sftp_allow_passwords: Whether to allow password login for SFTP, default is False.
  • sftp_enable_selinux_support: Option to enable SELinux support, default is False.
  • sftp_enable_logging: Turn on logging. Authentication logs go to /var/log/sftp/auth.log, and activity logs to /var/log/sftp/verbose.log. Default is False.
  • sftp_users: A list of users with the following details:
    • name: The Unix name for SFTP access.
    • group: An optional primary group for the user.
    • password: Hashed password for login. Can be empty with password: "". Set UsePAM yes and PermitEmptyPassword yes in sshd_config for empty passwords to work.
    • shell: Indicates if user has shell access (default is True).
    • authorized: List of files with valid public keys for SFTP users.
    • sftp_directories: Directories specifically for the SFTP user, starts as empty.
    • append: Add sftp_group_name to user groups instead of setting it (default is False).
    • mode: Home directory permission (default is 0750).
    • skeleton: Optional home skeleton directory. Defaults to system settings.
    • home: Optional specific home directory (default is sftp_home_partition/name).
  • sftp_nologin_shell: The shell for users without login access, defaults to /sbin/nologin.

Notes:

  • The sftp_nologin_shell sets the shell for users without shell access, ensuring they can only use SFTP.

Example Playbook

---
- name: Test SFTP Server Role
  hosts: all
  become: yes
  become_user: root
  vars:
    - sftp_users:
      - name: peter
        password: "$1$salty$li5TXAa2G6oxHTDkqx3Dz/" # passpass
        shell: False
        sftp_directories:
        - directory_only_for_peter1
        - directory_only_for_peter2
      - name: sally
        password: ""
        authorized: [sally.pub]
        home: /var/tmp/sally
        append: True
    - sftp_directories:
      - imports
      - exports
      - { name: public, mode: 755 }
      - other
  roles:
    - sftp-server

License

This role is licensed under the MIT License. Check the LICENSE file for details.

Donations

Your contributions are appreciated and can be made to the following addresses:

  • BTC: 1AWHJcUBha35FnuuWat9urRW2FNc4ftztv
  • ETH: 0xAF1Aac4c40446F4C46e55614F14d9b32d712ECBc
Informazioni sul progetto

Setup chrooted SFTP service on top of OpenSSH

role networking sftp ssh system
Installa
ansible-galaxy install johanmeiring.sftp-server
GitHub repository
125 stelle
82 fork
6 problemi aperti
Licenza
mit
Download
120.6k
Proprietario