Add possibility to restrict the user allowed to access by sftp

2024-09-03 20:06:10 +02:00 · 2018-12-28 14:23:12 +01:00 · 2018-12-28 14:23:12 +01:00 · 5e6bcb2346
commit 5e6bcb2346
parent 28b8a0ef6a
6 changed files with 71 additions and 7 deletions
--- a/data/actionsmap/yunohost.yml
+++ b/data/actionsmap/yunohost.yml
@ -408,6 +408,21 @@ user:
                        key:
                            help: The key to be removed

+                ### user_ssh_enable_permission()
+                enable-permission:
+                    action_help: Enable sftp permission
+                    api: POST /users/ssh/sftp/enable
+                    configuration:
+                        authenticate: all
+                        authenticator: as-root
+
+                ### user_ssh_disable_permission()
+                disable-permission:
+                    action_help: Disable sftp permission
+                    api: POST /users/ssh/sftp/disable
+                    configuration:
+                        authenticate: all
+                        authenticator: as-root

 #############################
 #          Domain           #
--- a/data/hooks/conf_regen/03-ssh
+++ b/data/hooks/conf_regen/03-ssh
@ -28,6 +28,7 @@ do_pre_regen() {

    export ssh_keys
    export ipv6_enabled
+    export sftp_secure
    ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
 }

--- a/data/templates/ssh/sshd_config
+++ b/data/templates/ssh/sshd_config
@ -64,21 +64,33 @@ PrintLastLog yes
 ClientAliveInterval 60
 AcceptEnv LANG LC_*

+# Disallow user without ssh or sftp permissions
+AllowGroups ssh.main sftp.main admins root
+
+# Allow users to create tunnels or forwarding
+AllowTcpForwarding yes
+AllowStreamLocalForwarding yes
+PermitTunnel yes
+PermitUserRC yes
+
 # SFTP stuff
 Subsystem sftp internal-sftp

-# Forbid users from using their account SSH as a VPN (even if SSH login is disabled)
+# Apply following instructions to user with sftp perm only
+Match Group sftp.main,!ssh.main
+ForceCommand internal-sftp
+# We currently are not able to restrict /home/USER
+# So we chroot only on /home
+# See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
+#ChrootDirectory /home/%u
+ChrootDirectory /home
+# Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
 AllowTcpForwarding no
 AllowStreamLocalForwarding no
-
+PermitTunnel no
 # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
 PermitUserRC no

-Match User admin,root
-    AllowTcpForwarding yes
-    AllowStreamLocalForwarding yes
-    PermitUserRC yes
-

 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and
--- a/locales/en.json
+++ b/locales/en.json
@ -585,6 +585,8 @@
    "service_unknown": "Unknown service '{service:s}'",
    "show_tile_cant_be_enabled_for_url_not_defined": "You cannot enable 'show_tile' right now, because you must first define an URL for the permission '{permission}'",
    "show_tile_cant_be_enabled_for_regex": "You cannot enable 'show_tile' right no, because the URL for the permission '{permission}' is a regex",
+    "sftp_permission_already_disabled": "SFTP permission already disabled",
+    "sftp_permission_already_enabled": "SFTP permission already enabled",
    "ssowat_conf_generated": "SSOwat configuration regenerated",
    "ssowat_conf_updated": "SSOwat configuration updated",
    "system_upgraded": "System upgraded",
--- a/src/yunohost/ssh.py
+++ b/src/yunohost/ssh.py
@ -6,10 +6,13 @@ import pwd
 import subprocess

 from yunohost.utils.error import YunohostError
+from moulinette import m18n
+from moulinette.utils.log import getActionLogger
 from moulinette.utils.filesystem import read_file, write_to_file, chown, chmod, mkdir

 SSHD_CONFIG_PATH = "/etc/ssh/sshd_config"

+logger = getActionLogger('yunohost.user')

 def user_ssh_allow(username):
    """
@ -147,6 +150,31 @@ def user_ssh_remove_key(username, key):

    write_to_file(authorized_keys_file, authorized_keys_content)

+
+def user_ssh_enable_permission(auth):
+    """
+    Enable the permission for sftp. When disabled all user are allowed to access by sftp.
+
+    """
+    from permission import permission_add, user_permission_list
+
+    if user_permission_list(auth, app="sftp", permission="main")['permissions']:
+        logger.warning(m18n.n('sftp_permission_already_enabled'))
+    else:
+        permission_add(auth, "sftp", "main")
+
+def user_ssh_disable_permission(auth):
+    """
+    Diable the permission for sftp. When disabled all user are allowed to access by sftp.
+
+    """
+    from permission import permission_remove, user_permission_list
+
+    if user_permission_list(auth, app="sftp", permission="main")['permissions']:
+        permission_remove(auth, "sftp", "main", force=True)
+    else:
+        logger.warning(m18n.n('sftp_permission_already_disabled'))
+
 #
 # Helpers
 #
--- a/src/yunohost/user.py
+++ b/src/yunohost/user.py
@ -816,6 +816,12 @@ def user_ssh_add_key(username, key, comment):
 def user_ssh_remove_key(username, key):
    return yunohost.ssh.user_ssh_remove_key(username, key)

+def user_ssh_enable_permission(auth):
+    return yunohost.ssh.user_ssh_enable_permission(auth)
+
+def user_ssh_disable_permission(auth):
+    return yunohost.ssh.user_ssh_disable_permission(auth)
+
 #
 # End SSH subcategory
 #