tags: - sshfs - mount categories: - informational comments: true

date: 2021-12-26 00:00:00

DESCRIPTION

• setup a basic ssh server/client to share file in read-only mode
• create a chroot user with sftp only access to access mounted file system

ERRORS

COMMANDS

• install: on server sharing files

openssh-server - secure shell (SSH) server, for secure access from remote machines

• install: on client system mounting remote file

sshfs - filesystem client based on SSH File Transfer Protocol openssh-client - secure shell (SSH) client, for secure access to remote machines

• mounts are done by unprivileged user, the user must use following to unmount:

  fusermount -u /home/user/mnt

• create chroot user

  mkdir /home/this_userlogs
  groupadd this_userlogs
  useradd -d /home/this_userlogs -M -g this_userlogs -s /bin/rbash this_userlogs
  chown root:root /home/this_userlogs
  chmod 0755 /home/this_userlogs

• check user

  id this_userlogs
  uid=1016(this_userlogs) gid=1001(this_userlogs) groups=1001(this_userlogs)
  grep this_userlogs /etc/passwd
  this_userlogs:x:1016:1001::/home/this_userlogs:/bin/sh

• create folder structure to hold files

  mkdir /home/this_useruser /home/this_useruser/.ssh /home/this_useruser/bin
  chown -R this_useruser:root /home/this_useruser
  chmod 0500 /home/this_useruser
  chmod 0700 /home/this_useruser/.ssh
  mkdir /home/this_userlogs/app1_logs
  mkdir /home/this_userlogs/app2_logs
  mkdir /home/this_userlogs/app3_logs
  chown this_userlogs:root /home/this_userlogs/app1_logs
  chown this_userlogs:root /home/this_userlogs/app2_logs
  chown this_userlogs:root /home/this_userlogs/app3_logs
  chmod 0700 /home/this_userlogs/app1_logs
  chmod 0700 /home/this_userlogs/app2_logs
  chmod 0700 /home/this_userlogs/app3_logs

• create the mount scripts and ssh keys

  su - this_userlogs
  cd /home/this_useruser/bin

• sshfs mount scripts

• app1-logs

  #! /bin/bash
  set -o pipefail
  set -o nounset
  set -o errexit
  PATH=/bin:/usr/bin
  LDIR="/home/this_userlogs/app1_logs"
  RDIR="/opt/MGW/app1/logs"
  COMM="this_userlogs@x.x.x.x"
  ARG="-o ro,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 -o IdentityFile=/home/this_useruser/.ssh/id_rsa -o StrictHostKeyChecking=no"
  mount | grep "${LDIR}" >/dev/null 2>&1 ||sshfs ${ARG} ${COMM}:${RDIR} ${LDIR}

• app2-logs

  #! /bin/bash
  set -o pipefail
  set -o nounset
  set -o errexit
  PATH=/bin:/usr/bin
  LDIR="/home/this_userlogs/app2_logs"
  RDIR="/opt/MGW/app2/apache-tomcat-9.0.54/logs"
  COMM="this_userlogs@x.x.x.x"
  ARG="-o ro,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 -o IdentityFile=/home/this_useruser/.ssh/id_rsa -o StrictHostKeyChecking=no"
  mount | grep "${LDIR}" >/dev/null 2>&1 ||sshfs ${ARG} ${COMM}:${RDIR} ${LDIR}

• app3-logs

  #! /bin/bash
  set -o pipefail
  set -o nounset
  set -o errexit
  PATH=/bin:/usr/bin
  LDIR="/home/this_userlogs/app3_logs"
  RDIR="/opt/MGW/app1/remoteStorage"
  COMM="this_userlogs@x.x.x.x"
  ARG="-o ro,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 -o IdentityFile=/home/this_useruser/.ssh/id_rsa -o StrictHostKeyChecking=no"
  mount | grep "${LDIR}" >/dev/null 2>&1 ||sshfs ${ARG} ${COMM}:${RDIR} ${LDIR}

• /usr/local/bin/mount-logs-this_useruser

  #! /bin/bash
  set -o pipefail
  set -o errexit
  set -o nounset
  nc -w 20 -v -z x.x.x.x 22 >/dev/null 2>&1 || exit
  if [ $(id -n -u) != "this_userlogs" ]; then
  exit 1
  fi
  /home/this_useruser/bin/app1-logs
  /home/this_useruser/bin/app2-logs
  /home/this_useruser/bin/app3-logs

• /etc/cron.d/mount-logs-this_useruser

  @reboot     this_userlogs /usr/local/bin/mount-logs-this_useruser
  */8 * * * * this_userlogs /usr/local/bin/mount-logs-this_useruser

• ssh keys

  su - this_userlogs
  cd /home/this_useruser/.ssh
  ssh-keygen -f id_rsa

Copy .ssh/id_rsa.pub to rs01 server under appropriate user keys - app1_user & app2_user

• Add to end of: /etc/ssh/sshd_config

  # override default of no subsystems
  # Subsystem     sftp    /usr/lib/openssh/sftp-server
  Subsystem sftp internal-sftp
  Match User this_userlogs
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTCPForwarding no
  X11Forwarding no
  ## access the system cannot be restricted to sftp command or rbash, as folder
  ## traversing is required
  #Match User app1_user
  #    ChrootDirectory %h
  #    ForceCommand internal-sftp
  #    AllowTCPForwarding no
  #    X11Forwarding no

• check sshd: /usr/sbin/sshd -t

VERIFICATION

sftp this_userlogs@y.y.y.y
Connected to y.y.y.y
sftp> cd /etc
Couldn't stat remote file: No such file or directory
sftp> ls
app1_logs       app2_logs       app3_logs  
sftp> cd app2_logs/
sftp> ls
sftp> put /etc/hosts
Uploading /etc/hosts to /app2_logs/hosts
remote open("/app2_logs/hosts"): Failure
sftp>