Add possibility to restrict the user allowed to access by sftp

data/actionsmap/yunohost.yml

@@ -408,6 +408,21 @@ user:
                         key:
                             help: The key to be removed
 
+                ### user_ssh_enable_permission()
+                enable-permission:
+                    action_help: Enable sftp permission
+                    api: POST /users/ssh/sftp/enable
+                    configuration:
+                        authenticate: all
+                        authenticator: as-root
+
+                ### user_ssh_disable_permission()
+                disable-permission:
+                    action_help: Disable sftp permission
+                    api: POST /users/ssh/sftp/disable
+                    configuration:
+                        authenticate: all
+                        authenticator: as-root
 
 #############################
 #          Domain           #

data/hooks/conf_regen/03-ssh

@@ -28,6 +28,7 @@ do_pre_regen() {
 
     export ssh_keys
     export ipv6_enabled
+    export sftp_secure
     ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"
 }
 

data/templates/ssh/sshd_config

@@ -64,21 +64,33 @@ PrintLastLog yes
 ClientAliveInterval 60
 AcceptEnv LANG LC_*
 
+# Disallow user without ssh or sftp permissions
+AllowGroups ssh.main sftp.main admins root
+
+# Allow users to create tunnels or forwarding
+AllowTcpForwarding yes
+AllowStreamLocalForwarding yes
+PermitTunnel yes
+PermitUserRC yes
+
 # SFTP stuff
 Subsystem sftp internal-sftp
 
-# Forbid users from using their account SSH as a VPN (even if SSH login is disabled)
+# Apply following instructions to user with sftp perm only
+Match Group sftp.main,!ssh.main
+ForceCommand internal-sftp
+# We currently are not able to restrict /home/USER
+# So we chroot only on /home
+# See https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component
+#ChrootDirectory /home/%u
+ChrootDirectory /home
+# Forbid SFTP users from using their account SSH as a VPN (even if SSH login is disabled)
 AllowTcpForwarding no
 AllowStreamLocalForwarding no
-
+PermitTunnel no
 # Disable .ssh/rc, which could be edited (e.g. from Nextcloud or whatever) by users to execute arbitrary commands even if SSH login is disabled
 PermitUserRC no
 
-Match User admin,root
-    AllowTcpForwarding yes
-    AllowStreamLocalForwarding yes
-    PermitUserRC yes
-
 
 # root login is allowed on local networks
 # It's meant to be a backup solution in case LDAP is down and

locales/en.json

@@ -585,6 +585,8 @@
     "service_unknown": "Unknown service '{service:s}'",
     "show_tile_cant_be_enabled_for_url_not_defined": "You cannot enable 'show_tile' right now, because you must first define an URL for the permission '{permission}'",
     "show_tile_cant_be_enabled_for_regex": "You cannot enable 'show_tile' right no, because the URL for the permission '{permission}' is a regex",
+    "sftp_permission_already_disabled": "SFTP permission already disabled",
+    "sftp_permission_already_enabled": "SFTP permission already enabled",
     "ssowat_conf_generated": "SSOwat configuration regenerated",
     "ssowat_conf_updated": "SSOwat configuration updated",
     "system_upgraded": "System upgraded",

src/yunohost/ssh.py

@@ -6,10 +6,13 @@ import pwd
 import subprocess
 
 from yunohost.utils.error import YunohostError
+from moulinette import m18n
+from moulinette.utils.log import getActionLogger
 from moulinette.utils.filesystem import read_file, write_to_file, chown, chmod, mkdir
 
 SSHD_CONFIG_PATH = "/etc/ssh/sshd_config"
 
+logger = getActionLogger('yunohost.user')
 
 def user_ssh_allow(username):
     """
@@ -147,6 +150,31 @@ def user_ssh_remove_key(username, key):
 
     write_to_file(authorized_keys_file, authorized_keys_content)
 
+
+def user_ssh_enable_permission(auth):
+    """
+    Enable the permission for sftp. When disabled all user are allowed to access by sftp.
+
+    """
+    from permission import permission_add, user_permission_list
+
+    if user_permission_list(auth, app="sftp", permission="main")['permissions']:
+        logger.warning(m18n.n('sftp_permission_already_enabled'))
+    else:
+        permission_add(auth, "sftp", "main")
+
+def user_ssh_disable_permission(auth):
+    """
+    Diable the permission for sftp. When disabled all user are allowed to access by sftp.
+
+    """
+    from permission import permission_remove, user_permission_list
+
+    if user_permission_list(auth, app="sftp", permission="main")['permissions']:
+        permission_remove(auth, "sftp", "main", force=True)
+    else:
+        logger.warning(m18n.n('sftp_permission_already_disabled'))
+
 #
 # Helpers
 #

src/yunohost/user.py

@@ -816,6 +816,12 @@ def user_ssh_add_key(username, key, comment):
 def user_ssh_remove_key(username, key):
     return yunohost.ssh.user_ssh_remove_key(username, key)
 
+def user_ssh_enable_permission(auth):
+    return yunohost.ssh.user_ssh_enable_permission(auth)
+
+def user_ssh_disable_permission(auth):
+    return yunohost.ssh.user_ssh_disable_permission(auth)
+
 #
 # End SSH subcategory
 #