|
|
- syscp + ssh
- restricting the shell
- mysql permissions
- pam
- which vservers?
- options
- testing
syscp + ssh
How to use libnss-mysql to allow ssh/sftp using the ftp_users table in syscp. Note that the customer login is not the same as the ftp user login. They might be different.
# apt-get install libnss-mysql-bg
/etc/libnss-mysql.cfg:
getpwnam SELECT username,'x',uid,gid,username,homedir,'/bin/bash' FROM ftp_users WHERE username='%1$s' LIMIT 1
getpwuid SELECT username,'x',uid,gid,username,homedir,'/bin/bash' FROM ftp_users WHERE uid='%1$u' LIMIT 1
getspnam SELECT username,password,'12345','0','99999','7','','','' FROM ftp_users WHERE username='%1$s' LIMIT 1
getpwent SELECT username,'x',uid,gid,username,homedir,'/bin/bash' FROM ftp_users
getspent SELECT username,password,,'12345','0','99999','7','','','' FROM ftp_users
getgrnam SELECT groupname,'x',gid FROM ftp_groups WHERE groupname='%1$s' LIMIT 1
getgrgid SELECT groupname,'x',gid FROM ftp_groups WHERE gid='%1$u' LIMIT 1
getgrent SELECT groupname,'x',gid FROM ftp_groups
# this allows each user to be in their group and www-data to be in all groups.
gidsbymem SELECT gid FROM ftp_users WHERE username='%1$s' OR 'www-data'='%1$s'
memsbygid SELECT username FROM ftp_users WHERE gid='%1$u' OR gid='33'
host mysql
database syscp
username nss
#password xxx (not needed)
timeout 3
compress 0
For the trick to work where www-data is part of every group, there must be an extra row added to ftp_users: username=www-data, uid=33, gid=33.
This file is only readable by root:
/etc/libnss-mysql-root.cfg:
username << user with priviledged read access >>
password << password >>
/etc/nsswitch.conf:
passwd: files mysql
group: files mysql
shadow: files mysql
/etc/ssh/sshd_config:
UsePrivilegeSeparation no
doesn't work without this, i have no idea why, could find no info on this on the web.
restricting the shell
To make is so that sftp works but there is no login shell, or a limited login shell, replace "shell" in libnss-mysql.cfg with one of the following:
- /usr/bin/scponly
- /usr/bin/rssh
- /usr/lib/sftp-server
They are all slightly different. The login session can be chrooted--check the docs of scponly and rssh packages.
mysql permissions
These permissions allow the user nss@% to connect and query the database on those things which are usually public in the /etc/password file.
GRANT USAGE ON * . * TO 'nss'@'%' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 ;
GRANT USAGE, SELECT (`gid`, `homedir`, `id`, `shell` , `uid`, `username`) ON `syscp`.`ftp_users` TO 'nss'@'%';
GRANT USAGE, SELECT (`gid`, `groupname`) ON `syscp`.`ftp_groups` TO 'nss'@'%';
pam
I couldn't get this working with the /etc/pam.d/ssh. If you remove ssh, and replace with /etc/pam.d/login, then it should work. Anyone know why?
which vservers?
Primarily, this just needs to be down from within the apache vserver. That is where people ssh to and edit their files. Additionally, I have set this up for the admin vserver with shell set to /bin/false so that the cms install scripts will be able to set the correct ownership of files.
options
If you want to make www-data part of every group, and every user part of the www-data group, the config might look like this:
gidsbymem SELECT gid FROM ftp_users WHERE username='%1$s' OR username='www-data' OR 'www-data'='%1$s'
memsbygid SELECT username FROM ftp_users WHERE gid='%1$u' OR gid='33' OR '33'='%1$u'
testing
look in /var/log/users.log and use the command 'groups'.
|
