Skip to main content

Setting up an SFTP Account with RSA Key Access

Sometimes you need to setup an SFTP account with a user name and password... Other times you're asked to provide a RSA key for authentication. I'll be going over the setup of an account using RSA authentication. For this setup, I have a CentOS Linux box sitting in the DMZ that has been hooked into Active Directory (AD) using Centrify (more about Centrify HERE). I have Centrify scoped to only allow logins to users in two groups within AD, "Domain Admins" and "SFTP-Only-Users". The configuration/setup of Centrify is beyond the scope of this, but any documentation for setting up group based access can be found by searching through their KB articles. I also use Centrify enabled Samba to share the folders to the internal systems. This makes it easy to setup a task to move files from the SFTP directories to an internal file server, or to grant access to your internal users.

Setting up the user account 

 With that said, the user account is created in AD, and assigned to the appropriate groups. The SFTP Users group for access, and a specific group for access to the folders we'll create in a moment. The purpose of assigning a group to the IN and OUT folders so you could set up a task to have the file moved to an internal file server, or provide your users access to the folders from an internal system.

Setting up the SFTP Directories

So, we'll make a total of three directories, the home directory, an IN and an OUT. From there, we'll set the permissions so that the SFTP user is chrooted to the IN and OUT directory.

As root, issue the following (replace 'UserName' and 'GroupName' with the AD user and group needed for access):
mkdir -p /home/[UserName]/{IN,OUT}
chown [UserName].[GroupName] /home/[UserName]/{IN,OUT]
chmod 2755 /home/[UserName]
chmod 770 /home/[UserName]/{input,output}


Setting up Samba

Now, whether you're a nut like me and use Centrify enabled Samba or the normal Samba, this should be a similar process. You'll be editing the 'smb.conf' file to add the necessary information to share the IN and OUT directories created above.
sudo vi /etc/samba/smb.conf
Add the following to the end of the config file:
[ShareName-IN]
path = /home/[UserName]/IN
public = no
valid usrs = +DOMAIN\[GroupName]
write list = +DOMAIN\[GroupName]
writeable = yes
create mask = 770
directory mask - 2770
Do the same for the OUT directory, but replace IN with OUT (obviously...I hope...). Save the file and restart the service.
sudo service centrifydc-samba restart
Creating RSA Keys for Access

Finally, we're to the point where we need to creat the RSA keys for authentication. At this moment, we will need to change the ownership of the /home/[UserName] directory to the user account in order to create the '.ssh' directory and keys. Then we will extract the public key and you'll share that with whomever needs access. Be cautious about who you share that file with, because it will allow access to your SFTP server.

As root, complete the following:
chown [UserName].[GroupName] /home/[UserName]
su [UserName]
cd /home/[UserName]
mkdir .ssh
cd .ssh
ssh-keygen -t rsals
cat id_rsa.pub >> authorized_keys
cd ..
chmod 700 .ssh
chmod 7000 .ssh/authorized_keys
chmod 700 .ssh/id_rsa
exit
chown root.root /home/[UserName]
Finally, you'll need to export the 'id_rsa.pub' file, rename it to what you want to identify it as, then send it off to the parties that need access to the SFTP account. All that *should* do it. Good luck.
Labels:

Comments

Post a Comment

Popular posts from this blog

Visio Stencils Pack for Azure and Microsoft Integration (v5.0.0)

First off, I'd like to send a big shout out to Sandro Pereira who's been managing the vision stencils pack. Essentially, I'm re-posting his information here, because I had a really hard time finding the latest Visio pack for Azure, that wasn't a bunch of SVG's. My thought is that if more people re-post, maybe the search engines of the internet will have an easier time propagating the information... Sandero's Blog (the original post around the new stencils): https://blog.sandro-pereira.com/2019/10/18/microsoft-integration-and-azure-stencils-pack-for-visio-new-major-version-available-v5-0-0/ Sandero's GitHub: https://github.com/sandroasp/Microsoft-Integration-and-Azure-Stencils-Pack-for-Visio Microsoft TechNet Download: https://gallery.technet.microsoft.com/Collection-of-Integration-e6a3f4d0 I will say, and maybe it's just because I'm using Visio 2013, each icon has a boarder that needs to be removed when putting it on the page... Likely it
Post a Comment
Read more

Disable Security Features to Dual Boot OS X - El Capitan

So, I've recently been working on updating/rebuilding my latest little friend (an 11" MacBook Air) to dual boot the latest OS X, El Capitan, and Kali. I'll go over everything in full detail as soon as I can finish the setup, but I wanted to get this out there for anyone else that may stumble upon any issues with setting up rEFInd on an updated mac. To start, while on Yosemite, I downloaded El Capitan from the App Store, and copied the install files to a USB. From there I preformed my upgrade. This might not be a good option for some people, as I'm sure your mac might be your primary computer... For me, that's not a problem. I tend to keep my essentials on USB drives / cloud storage as I tend to need access from different devices (phone, computer, tablet, etc.). After preforming a clean install of El Capitan, I headed over to the rEFInd website, download the program and ran the install.sh script... Now, that appears to work, like it did with pervious versions of
Post a Comment
Read more

Windows Server 2008: Log on as batch job

From time to time, I have to set up some scheduled tasks that required a dedicated account to run. And when doing so, I'll usually forget that the dedicated account usually isn't given any more permissions than what it needs to complete the task at hand. So, after setting up the task, Windows will usually yell at me and say "The account needs batch job rights". So here's how to grant batch job permissions on your server. Go to your start menu, and start searching for Local Security Policy In the left pane of the MMC that opens up, expand Local Policies, and highlight User Rights Assignment. Now, in the left right pane, locate "Log on as a batch job" and double click it. In the properties window that opens up, add the user or group that needs this permission. I find that if you have multiple service accounts running different tasks on the same server, it's easier to just add a group verses the individual a
Post a Comment
Read more