Skip to main content

Setting up an SFTP Account with RSA Key Access

Sometimes you need to setup an SFTP account with a user name and password... Other times you're asked to provide a RSA key for authentication. I'll be going over the setup of an account using RSA authentication. For this setup, I have a CentOS Linux box sitting in the DMZ that has been hooked into Active Directory (AD) using Centrify (more about Centrify HERE). I have Centrify scoped to only allow logins to users in two groups within AD, "Domain Admins" and "SFTP-Only-Users". The configuration/setup of Centrify is beyond the scope of this, but any documentation for setting up group based access can be found by searching through their KB articles. I also use Centrify enabled Samba to share the folders to the internal systems. This makes it easy to setup a task to move files from the SFTP directories to an internal file server, or to grant access to your internal users.

Setting up the user account 

 With that said, the user account is created in AD, and assigned to the appropriate groups. The SFTP Users group for access, and a specific group for access to the folders we'll create in a moment. The purpose of assigning a group to the IN and OUT folders so you could set up a task to have the file moved to an internal file server, or provide your users access to the folders from an internal system.

Setting up the SFTP Directories

So, we'll make a total of three directories, the home directory, an IN and an OUT. From there, we'll set the permissions so that the SFTP user is chrooted to the IN and OUT directory.

As root, issue the following (replace 'UserName' and 'GroupName' with the AD user and group needed for access):
mkdir -p /home/[UserName]/{IN,OUT}
chown [UserName].[GroupName] /home/[UserName]/{IN,OUT]
chmod 2755 /home/[UserName]
chmod 770 /home/[UserName]/{input,output}


Setting up Samba

Now, whether you're a nut like me and use Centrify enabled Samba or the normal Samba, this should be a similar process. You'll be editing the 'smb.conf' file to add the necessary information to share the IN and OUT directories created above.
sudo vi /etc/samba/smb.conf
Add the following to the end of the config file:
[ShareName-IN]
path = /home/[UserName]/IN
public = no
valid usrs = +DOMAIN\[GroupName]
write list = +DOMAIN\[GroupName]
writeable = yes
create mask = 770
directory mask - 2770
Do the same for the OUT directory, but replace IN with OUT (obviously...I hope...). Save the file and restart the service.
sudo service centrifydc-samba restart
Creating RSA Keys for Access

Finally, we're to the point where we need to creat the RSA keys for authentication. At this moment, we will need to change the ownership of the /home/[UserName] directory to the user account in order to create the '.ssh' directory and keys. Then we will extract the public key and you'll share that with whomever needs access. Be cautious about who you share that file with, because it will allow access to your SFTP server.

As root, complete the following:
chown [UserName].[GroupName] /home/[UserName]
su [UserName]
cd /home/[UserName]
mkdir .ssh
cd .ssh
ssh-keygen -t rsals
cat id_rsa.pub >> authorized_keys
cd ..
chmod 700 .ssh
chmod 7000 .ssh/authorized_keys
chmod 700 .ssh/id_rsa
exit
chown root.root /home/[UserName]
Finally, you'll need to export the 'id_rsa.pub' file, rename it to what you want to identify it as, then send it off to the parties that need access to the SFTP account. All that *should* do it. Good luck.
Labels:

Comments

Post a Comment

Popular posts from this blog

Visio Stencils Pack for Azure and Microsoft Integration (v5.0.0)

First off, I'd like to send a big shout out to Sandro Pereira who's been managing the vision stencils pack. Essentially, I'm re-posting his information here, because I had a really hard time finding the latest Visio pack for Azure, that wasn't a bunch of SVG's. My thought is that if more people re-post, maybe the search engines of the internet will have an easier time propagating the information... Sandero's Blog (the original post around the new stencils): https://blog.sandro-pereira.com/2019/10/18/microsoft-integration-and-azure-stencils-pack-for-visio-new-major-version-available-v5-0-0/ Sandero's GitHub: https://github.com/sandroasp/Microsoft-Integration-and-Azure-Stencils-Pack-for-Visio Microsoft TechNet Download: https://gallery.technet.microsoft.com/Collection-of-Integration-e6a3f4d0 I will say, and maybe it's just because I'm using Visio 2013, each icon has a boarder that needs to be removed when putting it on the page... Likely it
Post a Comment
Read more

Keto Kickin' Choffle

Alight, first recipe on the blog... If you've had a chance to reach the "About" section, you will have seen that, rather than spinning up multiple blogs, I'm just going to combine my passions for tech, food, health, and music into this one space. If you're not a fan, then too bad. I really just don't want to manage more than one blog.... With that, here goes nothing... So I recently came across the choffle. This is a really great, and fast to make replacement for buns. I'm also a huge fan of spicy foods. Well, I got the great idea to combine the heat with the choffle. And let me tell you, it turned out really good. I like to use this for a bun replacement when I'm in the mood for that extra kick, but not the extra toppings. Why? Because the extra toppings are now combined in the choffle. Thus removing the need for the additional toppings on my burgers. Enjoy. Kickin' choffle The choffle mix with a kick! Author: Larry L. Preparation Time: 3
Post a Comment
Read more

Replacing rsyslog with syslog-ng on RHEL 6.5

So...I had a piece of monitoring software that didn't play nice with the RHEL default rsyslog for log collection. The software was developed to only work with syslog-ng. I'll be going over the steps that I took, that worked for me, in replacing rsyslog with syslog-ng. I would imagine that these same steps should work for any Linux system similar to RHEL (Fedora, CentOS, etc.). For others (like Debein based distributions), I would need to look into that (coming in a future update to this post). First, remove rsyslog. You will need to keep the dependencies as they will be needed for syslog-ng: sudo rpm -e --nodeps rsyslog Next we will need to add the EPEL repository (more info can be found HERE ): wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm sudo rpm -ivh epel-release-6-8.rpm sudo yum repolist That last command will list all the installed repositories. You are simply verifying that the EPEL package has been installed. Now that we fi
1 comment
Read more