tags: - golang - sftp categories: - informational comments: true

date: 2021-09-04 00:00:00

DESCRIPTION

go based sftp server. Can be run as a regular user. Server has two modes. This runbook only describes the basic mode - sftpgo portable --help

Details https://github.com/drakkan/sftpgo/blob/main/README.md

Explanation of configuration https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md

If security is a concern, the service can run in chroot env, or systemd service. (with restrictions) See: https://www.redhat.com/sysadmin/systemd-secure-services

ERRORS

VERIFICATION

• On client machine

sftp -i colomboman -P 4444 colomboman@192.168.1.100

Where 192.168.1.100 is where the service was installed.

COMMANDS

• ssh root@192.168.1.100

• Download/build sftpgo

  git clone https://github.com/drakkan/sftpgo
  cd sftpgo
  go build -trimpath -ldflags "-s -w"

NOTE: CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" fails due to go-sqlite issue

• Copy binary - sftpgo to user folder /opt/gosftpuser/bin (created below)

• Add user, create folders, set permissions

  useradd -s /usr/sbin/nologin -m /opt/gosftpuser gosftpuser
  mkdir -p /opt/gosftpuser
  chmod 0750 /opt/gosftpuser
  cd /opt/gosftpuser
  mkdir bin
  mkdir service
  cd bin

• Install daemontools - will be supervising the job

apt-get update; apt-get install daemontools

• Create start up script - gw_init - that will be called in cron

  cat >gw_init<<EOF
  #! /bin/bash
  umask 0077
  cd "$(dirname "$0")/.."
  export BASEDIR="$PWD"
  export PATH=$PWD/bin:$PATH
  ## required since we are using cron
  nc -w 5 -v -z 127.0.0.1 4444 >/dev/null 2>&1 && exit
  exec gw_run
  EOF
  chmod +x gw_run

• Create script to call svscan(daemontools)

  cat >gw_run<<EOF
  #!/bin/bash
  set -o errexit
  set -o nounset
  set -o pipefail
  PATH=/bin:/usr/bin:/sbin:/usr/sbin
  exec pgrphack svscan /opt/sftpgo/service

• sftpgo startup script - sets up username,keys, folder to serve, etc

• the SSH public key for the user that will be using the service has to be added as KEY

• Use ssh-keyget -t rsa -f colomboman to create the pair

  cat >>start-sftpgo<<EOF
  #! /bin/bash
  set -o errexit
  set -o nounset
  set -o pipefail
  PATH="$HOME/bin:$PATH"
  PORT=4444
  DIR="/opt/remote/data"
  SFTP_USER=colomboman
  ## Public key of the user colomboman
  KEY="ssh-rsa ......"
  #NOTE: portable cannot disable password - if no password is set, password authentication will fail
  # service limitations set via systemd: see /lib/systemd/system/sftpgo.service
  sftpgo portable --username "$SFTP_USER" --public-key "$KEY" --sftpd-port "$PORT" --directory "$DIR" --permissions '*'
  EOF

• daemontools: service folder setup

• when the service starts, sftpgo server ssh key pairs (if not available) will be created here (sftpgo will detect and create them on the first start)

  cd ../service
  mkdir sftpgo
  cd sftpgo
  ln -sf ../../bin/start-sftpgo run

Once the service is started, the following files will be created by sftpgo (ssh keys)

ls service/sftpgo
id_ecdsa  id_ecdsa.pub  id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub

• Change the permissions of all files created under user

  chown -R gosftpuser:gosftpuser /opt/gosftpuser

• Add the cronjob for the service

• /var/spool/cron/crontabs/gosftpuser

  */5 * * * * $HOME/bin/gw_init