Merge pull request #4 from yakworks/user-data-mounts

User data mounts

Author: basejump

.gitignore

@@ -0,0 +1 @@
+keys

README.md

@@ -1,5 +1,7 @@
 # SFTP
 
+**Forked from atmoz to make it easier to setup on kubernetes. also add fail2ban. merges in PRs to fix a number of issues**
+
 ![Docker Automated build](https://img.shields.io/docker/automated/atmoz/sftp.svg) ![Docker Build Status](https://img.shields.io/docker/build/atmoz/sftp.svg) ![Docker Stars](https://img.shields.io/docker/stars/atmoz/sftp.svg) ![Docker Pulls](https://img.shields.io/docker/pulls/atmoz/sftp.svg)
 
 ![OpenSSH logo](https://raw.githubusercontent.com/atmoz/sftp/master/openssh.png "Powered by OpenSSH")
@@ -35,6 +37,8 @@ This is an automated build linked with the [debian](https://hub.docker.com/_/deb
 
 # Examples
 
+to run the example in this project `./examples/docker-run.sh`
+
 ## Simplest docker run example
 
 ```

examples/dock-run.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# run this from the root project
+
+# docker build -t yakworks/sftp .
+
+docker run --name sftp --rm --cap-add=SYS_ADMIN -p 30022:22 \
+  -v $(pwd)/examples/users.conf:/etc/sftp/users.conf \
+  -v $(pwd)/examples/sftp-data:/sftp-data \
+  yakworks/sftp

examples/sftp-data/test.txt

@@ -0,0 +1 @@
+test file

examples/users.conf

@@ -0,0 +1,6 @@
+# user:pass:uid:gid  - if gid is 27 is sudo/admin, 100 is user. 
+# admin will get data mounted and user with get data/user/%u mounted
+foo:FuB4r:1001:27
+bar:FuB4r:1002:27
+cust:FuB4r:1003:100
+cust2:FuB4r:1004:100

files/create-sftp-user

@@ -65,6 +65,7 @@ if [ -n "$gid" ]; then
     useraddOptions+=(--gid "$gid")
 fi
 
+log "useradd ${useraddOptions[@]} $user"
 useradd "${useraddOptions[@]}" "$user"
 mkdir -p "/home/$user"
 chown root:root "/home/$user"
@@ -97,9 +98,51 @@ if [ -n "$dir" ]; then
         if [ ! -d "$dirPath" ]; then
             log "Creating directory: $dirPath"
             mkdir -p "$dirPath"
-            chown -R "$uid:users" "$dirPath"
+            chown -R "$uid:$gid" "$dirPath"
         else
             log "Directory already exists: $dirPath"
         fi
     done
 fi
+
+###### MODS for bind mounts #####
+# mount user dir
+dataPath="/sftp-data"
+userDataDir="$dataPath/users/$user"
+homeDataDir="/home/$user/data"
+
+# always create a data dir by default in the users home.
+if [ ! -d "$homeDataDir" ]; then
+    log "- mkdir -p $homeDataDir"
+    mkdir -p "$homeDataDir"
+    chown -R "$uid:$gid" "$homeDataDir"
+fi
+#mod user so the data dir is their home
+usermod -d /data "$user"
+
+if [ -d "$dataPath" ]; then
+    log "- has $dataPath"
+    # for users mount the data/users/%u directory
+    if [ "$gid" = "100" ]; then
+        if [ ! -d "$userDataDir" ]; then
+            log "- mkdir -p $userDataDir"
+            mkdir -p "$userDataDir"
+        fi
+        log "- mount --bind $userDataDir $homeDataDir"
+        # Remember permissions, you may have to fix them:
+        # chown -R :100 "$userDataDir"
+        mount --bind "$userDataDir" "$homeDataDir"
+        #make sure permissions are good on users dir
+        chown -R :100 "$dataPath"
+    fi
+    # for sudo (27) admins mount the data directory
+    if [ "$gid" = "27" ] ; then
+        # chown -R :100 "$userDataDir"
+        mount --bind "$dataPath" "$homeDataDir"
+        #also make sure that they are assigned to the user group
+        usermod -g 100 "$user"
+        usermod -a -G 27 "$user"
+    fi
+    chown -R :100 "$dataPath"
+    chmod -R 775 "$dataPath"
+fi

files/sshd_config

@@ -15,8 +15,12 @@ AllowTcpForwarding no
 
 # Force sftp and chroot jail
 Subsystem sftp internal-sftp
-ForceCommand internal-sftp
-ChrootDirectory %h
+ForceCommand internal-sftp -u 0002 # umask for user|group rwx|rwx permisions 
+
+ChrootDirectory /home/%u
+
+# Match Group users
+#  ChrootDirectory %h
 
 # Enable this for more logs
 #LogLevel VERBOSE

kubernetes/README.md

@@ -0,0 +1,15 @@
+# K8s
+
+Example on how to setup 
+if setting up for prod run `./scripts/keygen.sh` to create new keys and replace whats in secret-host-keys.yml
+
+kubectl create namespace sftp
+kubectl create -f secret-user-conf.yml
+kubectl create -f secret-host-keys.yml
+kubectl create -f sftp-deploy.yml
+
+clean up
+kubectl delete secret sftp-user-conf --namespace=sftp || true
+kubectl delete secret sftp-host-keys --namespace=sftp || true
+kubectl delete service sftp --namespace=sftp || true
+kubectl delete deployment sftp --namespace=sftp || true

kubernetes/secret-host-keys.yml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sftp-host-keys
+  namespace: sftp
+type: Opaque
+stringData:
+  # This is a sample. generate you own keys as these are not secure and are now public
+  # scripts/keygen.sh can make new keys, keep them private and safe
+  ssh_host_ed25519_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+    QyNTUxOQAAACDB5Z284hLtSd55Pul4d41HsRJOY+LIYyMlc0pvHiBpNQAAAJhiND1WYjQ9
+    VgAAAAtzc2gtZWQyNTUxOQAAACDB5Z284hLtSd55Pul4d41HsRJOY+LIYyMlc0pvHiBpNQ
+    AAAECC+YCk6jbhGK1yK4U5UtrYbsd1/95+wditLavq5ja8lMHlnbziEu1J3nk+6Xh3jUex
+    Ek5j4shjIyVzSm8eIGk1AAAAEXJvb3RAYzUxZWM2YTExYTkzAQIDBA==
+    -----END OPENSSH PRIVATE KEY-----
+  ssh_host_ed25519_key.pub: |
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHlnbziEu1J3nk+6Xh3jUexEk5j4shjIyVzSm8eIGk1 root@c51ec6a11a93
+  ssh_host_rsa_key: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIJKAIBAAKCAgEArpN+a6Wrs7TCfydsl8AvmqpDUnJOcn88IpDbjFxpXL0mE/ez
+    OzMTsY6Omkr9voeW6IIk5eiepmXl9WiqkBFolUmo87Eg738PPuVNj2yMtZXCAFZB
+    RbuCB01/oBDf8vlYEADq+Ef3GFMDnuBjLSzA1zSxxCLy6qj3VPk0LUtfgkld4PBz
+    382nBV+N1AAlzLEUGXiK6t9cTvypdyKlmIbuMt+VmGCiyYtgghq86KKrHd4jTiwX
+    ztKJqPs5oEB5pkrJ203Y6XJf9L9vGNI9rS5nr9NV1fG886TonLhZVKAQRdPsti6W
+    E/VfX+XxPgLtGo6XD9qoaptk8mbKvfAoPwgAw7yrBk+RTnbiefj2MaBnsgSaBKMl
+    dSLsCPmOenLJSbDOj8s9+ekrFNB5D9hKJJI+qlcoqQ/iT1LGay00if9jGtzTJvT8
+    98t3kNZ5yNswklgBcoF777EHYD+0CBDiULqrso0LBMSuxrLxZkR6xNtmvSkawbkj
+    +W/jUMdbBHetn/zCLMz7V0+4KMvTmDibXEhisRgC3x1M8bi+h+BqRqYTZYL18CFI
+    ufQmsZpsKRpFqBxu7Q2oBvnQXfm3pMHxfEKdHmfgwFySQDsOaca1WnpE9SownC0F
+    tiQRkT2cEcU/7/xKJIJWwUQtwSUUzicF348t6RzjhNS5xrxtNYTRsKlVQ+0CAwEA
+    AQKCAgAvvYH66ilUUYBGyX822IWsJBeY+k1dnlHRmg+QCM1/YPKCz2AiNkuSaMuy
+    ggN2ERpBpyV0AfMwyfji7aaHE1uoR6Z+TdgV5odCye415JduKPAOq4faC/b5DEZ0
+    fWjgxzM/3SBkmTmHW1xIHFDCz9REhdJ/Mpd/eIl6oVOVd2E8/ddAZkEp2NFt9L2S
+    ViAAJAS9GmvS4xYZO5sUS1NBrNSC8QW1z+d0ejsAGVPDwohM+Kxq+j/gfU7L+Te/
+    DSK3SQh+goFpBbAb/CXjgcsACwqr2H1Grn7fmh9KjFdRfxw0HEpFX+QGvTlBvl4E
+    eURh2NCSs1cPIEOwzk9vNber1QJwEPs78CQY9KK2lBY053O0zeckY3BLAvzLukPa
+    bYDlw8xE1MjUBegtwi0wHrLFTwfMQ3MtqkF8hkC+mE90FBjySYCptQ1+7svPnbbC
+    zr6bG6vG3t760PJGxfm9xuRuqbUu+W8oEP2KvOdizlKynUSySNKHaZth66OJtLI9
+    sD8VluIJhMKA7xn5sTt9tFOtCe8CoQ99fk05fVOad5+AbtMKhtk1fungR8QlvKtS
+    p9KflF+QmMT2D4p0mGNXTOc3Sw3sECAaRqIvMRrH0jLm9hQ4sGl03vMeQykxW8r2
+    Cfmv+JifP7wNI3zx5SNx8aTUHDhD2SDF2JnPvBpc2VJeG/RqeQKCAQEA2yQuZ6t+
+    tbTnKnBcRabOmkBEOX4ara30ChnCKPun7Jl5u0dBFQHqEDOvkZEX36hv1zfIBTq1
+    ewQLHu2WXOFzySmcGfj53CIFmkO9Ul/bNn+P7aguw4abPx+jJKKDkr6En2FOdgoU
+    hiVgED8un5yCLmaMznUwV1C+L0/L6pbHyyz1yA0WKbUJ80qRdVU17yO/R1KBLRzR
+    /SQqGJ8LlFdRQqE+LP2aLAFTxK2Mj304s5464Q29ieZ8BssCOI333YIOBMSIoDwl
+    WvMrTJxdW+sO059pTdlkIcgzbADSQcHTSlHoJm2AeVOh94R5zx5PzJl/0WwiBoUK
+    PgCWKRo9gALQmwKCAQEAy/BrIH2qJfi0ct1aM6KEQpzpUGsRZATDgDBJ/tmOKJ/O
+    4kJqkeEuCAVZtQppbtXyHlwbupcMfapdpBab0ospDk5zFz+zI5p5ITVwC2i6pA00
+    YzwW3LB0NSqcDO2lPn9hxVntnPupXp5DFkzixLLlgpAX1RLlOJrz1jzWpAwMTXiG
+    09mh8X2jae5CReWZJDGm/nQbzkRpD0OFlkkaAtuvUj8092qW2/6p5ocOUCSE6DaV
+    xcq6C8ZI3kU6vqk/2xqP+OQh7XeW5no/sP7VDUdvBzPZE3QCYqBgv0olMFzqo7v1
+    gTPjsfB4kRretl5hYPw6McZOXA1dTkHBrFjs+MbyFwKCAQA1kT6WsOEkYbgwM48a
+    p4/RPOxwcVbsJZ2F6o3/nqSJvWp4UQ6jp/gjRb8hAiqnzXCpV0VZoeRC0dY2FTWw
+    NpwrDDTQVIAfQ2HDN9PLkwru43e3TGlB+mFwqLckeWVYNaINo6eeSxCBShmVXxxy
+    f7uCxCafQR4z+dTDk+nwyjLEg5UA9dH5F/v6sLulxtKMRly3fn99G5JpIrH3mskl
+    1cJTWz7rmIJbR2fGp/W4DZASuBcEdGtkjia7Mly0nl98khIDMFeFc65d8RsgewiH
+    M4pISKthEEbdyyZmvDypPkv72tG4swO4pKzu6D8uVeaDyPHpq1kV5ud+CH6sRXHL
+    HOUJAoIBAGBQV9eNYZjzPw1sWpg+LWZkQo/3MMxir43PwHJ6fnfTGVqj8T6Z8Spa
+    lIY6t5Zftiv+Zh4WDhEfL4A6KTci/63BAPu+2rR61LAJU7Qfrt2hWtdu3oE1WHxv
+    dilo5nyAnkUc9moINHH6Hkbe4s3wixHBSXAYr2avT28jZl8tTXYc8NgGVUP+iPmT
+    S3tFNrDwPiS34xXkGxXZVrKmLYGiDMe0ECi1DzAwsj6sE+dnh9k/RjaWSo0bBPjs
+    CxVWS1EH12y9GQTUUNDidUf64dWWoent45wbUrEPewF8W9neV/Yh4400W1mC7v3g
+    icPpCOZL2JP/SqyQpzs5NOVXTfsjwdsCggEBALQ74jyWUyLJroHHegSivuTHVRlT
+    9S2GKH4YItTiy74bLjP1oSY+rIEYrhqiJmJ/Y4z6dve2kPZuLHW2nm92lSo+kg7f
+    f0kap9jcS1DfwmsCiBIaVqcl6/uAUNiAeAbKBkJ0Y5+TpFNyiTT2i0a+idKG+mS5
+    DrW0+fbIL2yJKFlDcZ8Fsgf5ckUFL4y4aLD0I503gp03Co84L2zJTzxjE1I9juer
+    QAp1Gt2IWqad1hhU3cgwLKSjCrAtgTkjPDsm9hcoc6OWASwoz8ax1bg9IUG9ONbA
+    CgVsC+oR7tFu+3X14Uaj92HG7/mtmiJ6vl0SAfeM2G4rRNIGAZhRveAjAgo=
+    -----END RSA PRIVATE KEY-----
+  ssh_host_rsa_key.pub: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCuk35rpauztMJ/J2yXwC+aqkNSck5yfzwikNuMXGlcvSYT97M7MxOxjo6aSv2+h5bogiTl6J6mZeX1aKqQEWiVSajzsSDvfw8+5U2PbIy1lcIAVkFFu4IHTX+gEN/y+VgQAOr4R/cYUwOe4GMtLMDXNLHEIvLqqPdU+TQtS1+CSV3g8HPfzacFX43UACXMsRQZeIrq31xO/Kl3IqWYhu4y35WYYKLJi2CCGrzooqsd3iNOLBfO0omo+zmgQHmmSsnbTdjpcl/0v28Y0j2tLmev01XV8bzzpOicuFlUoBBF0+y2LpYT9V9f5fE+Au0ajpcP2qhqm2TyZsq98Cg/CADDvKsGT5FOduJ5+PYxoGeyBJoEoyV1IuwI+Y56cslJsM6Pyz356SsU0HkP2Eokkj6qVyipD+JPUsZrLTSJ/2Ma3NMm9Pz3y3eQ1nnI2zCSWAFygXvvsQdgP7QIEOJQuquyjQsExK7GsvFmRHrE22a9KRrBuSP5b+NQx1sEd62f/MIszPtXT7goy9OYOJtcSGKxGALfHUzxuL6H4GpGphNlgvXwIUi59CaxmmwpGkWoHG7tDagG+dBd+bekwfF8Qp0eZ+DAXJJAOw5pxrVaekT1KjCcLQW2JBGRPZwRxT/v/EokglbBRC3BJRTOJwXfjy3pHOOE1LnGvG01hNGwqVVD7Q== root@c51ec6a11a93

kubernetes/secret-user-conf.yml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sftp-user-conf
+  namespace: sftp
+type: Opaque
+stringData:
+  users.conf: |
+    # user:pass:uid:gid  - if gid is 27 is sudo/admin, 100 is user. 
+    # admin will get data mounted and user with get data/user/%u mounted
+    foo:F**B4r:1001:27
+    bar:F**B4r:1002:27
+    cust:F**B4r:1003:100
+    cust2:F**B4r:1004:100