Skip to main content

Setting up an SFTP Account with RSA Key Access

Sometimes you need to setup an SFTP account with a user name and password... Other times you're asked to provide a RSA key for authentication. I'll be going over the setup of an account using RSA authentication. For this setup, I have a CentOS Linux box sitting in the DMZ that has been hooked into Active Directory (AD) using Centrify (more about Centrify HERE). I have Centrify scoped to only allow logins to users in two groups within AD, "Domain Admins" and "SFTP-Only-Users". The configuration/setup of Centrify is beyond the scope of this, but any documentation for setting up group based access can be found by searching through their KB articles. I also use Centrify enabled Samba to share the folders to the internal systems. This makes it easy to setup a task to move files from the SFTP directories to an internal file server, or to grant access to your internal users.

Setting up the user account 

 With that said, the user account is created in AD, and assigned to the appropriate groups. The SFTP Users group for access, and a specific group for access to the folders we'll create in a moment. The purpose of assigning a group to the IN and OUT folders so you could set up a task to have the file moved to an internal file server, or provide your users access to the folders from an internal system.

Setting up the SFTP Directories

So, we'll make a total of three directories, the home directory, an IN and an OUT. From there, we'll set the permissions so that the SFTP user is chrooted to the IN and OUT directory.

As root, issue the following (replace 'UserName' and 'GroupName' with the AD user and group needed for access):
mkdir -p /home/[UserName]/{IN,OUT}
chown [UserName].[GroupName] /home/[UserName]/{IN,OUT]
chmod 2755 /home/[UserName]
chmod 770 /home/[UserName]/{input,output}


Setting up Samba

Now, whether you're a nut like me and use Centrify enabled Samba or the normal Samba, this should be a similar process. You'll be editing the 'smb.conf' file to add the necessary information to share the IN and OUT directories created above.
sudo vi /etc/samba/smb.conf
Add the following to the end of the config file:
[ShareName-IN]
path = /home/[UserName]/IN
public = no
valid usrs = +DOMAIN\[GroupName]
write list = +DOMAIN\[GroupName]
writeable = yes
create mask = 770
directory mask - 2770
Do the same for the OUT directory, but replace IN with OUT (obviously...I hope...). Save the file and restart the service.
sudo service centrifydc-samba restart
Creating RSA Keys for Access

Finally, we're to the point where we need to creat the RSA keys for authentication. At this moment, we will need to change the ownership of the /home/[UserName] directory to the user account in order to create the '.ssh' directory and keys. Then we will extract the public key and you'll share that with whomever needs access. Be cautious about who you share that file with, because it will allow access to your SFTP server.

As root, complete the following:
chown [UserName].[GroupName] /home/[UserName]
su [UserName]
cd /home/[UserName]
mkdir .ssh
cd .ssh
ssh-keygen -t rsals
cat id_rsa.pub >> authorized_keys
cd ..
chmod 700 .ssh
chmod 7000 .ssh/authorized_keys
chmod 700 .ssh/id_rsa
exit
chown root.root /home/[UserName]
Finally, you'll need to export the 'id_rsa.pub' file, rename it to what you want to identify it as, then send it off to the parties that need access to the SFTP account. All that *should* do it. Good luck.
Labels:

Comments

Post a Comment

Popular posts from this blog

Using Python for GPG/PGP File Encryption - Part 1

So, this will be the start of a series that will build a python script for GPG/PGP file encryption. In this post, we'll look at installing gnupg for python and using python to setup the keystore, create a private key, exporting the associated public key, and importing a public key. Now everything done here can be done with simple gnupg commands, but learning how to do this with python will help in understanding the script we'll be building to complete file encryption. I will be covering non-python gnupg commands in a future post. Additionally, the folks at the python-gnupg site over at pythonhosted.org have done a really great job at documenting everything (link to their site at the bottom). The stuff I'll be going over will be more of a start-to-finish for anyone that may get lost in the muck of doing stuff with python. Full Disclosure #1: Any key identifier throughout the series of posts is FICTITIOUS and DOES NOT represent any real key, either associated with myself or...
1 comment
Read more

Windows Server 2008: Log on as batch job

From time to time, I have to set up some scheduled tasks that required a dedicated account to run. And when doing so, I'll usually forget that the dedicated account usually isn't given any more permissions than what it needs to complete the task at hand. So, after setting up the task, Windows will usually yell at me and say "The account needs batch job rights". So here's how to grant batch job permissions on your server. Go to your start menu, and start searching for Local Security Policy In the left pane of the MMC that opens up, expand Local Policies, and highlight User Rights Assignment. Now, in the left right pane, locate "Log on as a batch job" and double click it. In the properties window that opens up, add the user or group that needs this permission. I find that if you have multiple service accounts running different tasks on the same server, it's easier to just add a group verses the individual a...
Post a Comment
Read more

Replacing rsyslog with syslog-ng on RHEL 6.5

So...I had a piece of monitoring software that didn't play nice with the RHEL default rsyslog for log collection. The software was developed to only work with syslog-ng. I'll be going over the steps that I took, that worked for me, in replacing rsyslog with syslog-ng. I would imagine that these same steps should work for any Linux system similar to RHEL (Fedora, CentOS, etc.). For others (like Debein based distributions), I would need to look into that (coming in a future update to this post). First, remove rsyslog. You will need to keep the dependencies as they will be needed for syslog-ng: sudo rpm -e --nodeps rsyslog Next we will need to add the EPEL repository (more info can be found HERE ): wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm sudo rpm -ivh epel-release-6-8.rpm sudo yum repolist That last command will list all the installed repositories. You are simply verifying that the EPEL package has been installed. Now that we fi...
1 comment
Read more