====== FTP service configuration ======
**__FTP service configuration __**

**__Process overview __**

**SFTP logins are **only accepted on the ftpserver, which in turn creates a temporary ssh fuse connection to the target server for the user  this also only allows access to the user directory and not to any luther locations  

Access from the internet is via ftps.irax.com 185.70.9.229 using port 22  any connection on this address on port 22 is forwarded to the ftpserver on 192.168.10.16 port 2222

The user ftpconnect needs to be on the target host for the sshfs connection  and the associated keys held  in .ssh/authorized_keys

The sftp server also is open to the internet and attracts unwanted traffic. 

There are two methods of managing this - The external pfsense  firewall has  a plock list rule where we can add particularly troubling IP addresses  and the server also has fail2ban installed to operate on port 2222

**SFTP server 192.168.10.16 configuration.  **

**__A.  SFTP users. (the logins to be used by the users of the ftp service )__**

**User overview **

Only available to users having a radius login. Pam radius calls a batch script  

/etc/ftpusers/map.sh

This script uses the user.conf file where we map the drive to be mounted on a target host.  

In order to achieve this we need to configure the following 

  - SSH User configuration Local ssh user with home directory in a particular location 
  - SSHD configuration for SSH user ssh in /etc/ssh/sshd
  - Scripted user creation
  - User configuration for mounting sshfs drive. 
  - PAM modifications and pam radius auth 
**1 SSH user configuration**

** Preliminary conditions.** 

There should be a directory  named /home/ftpusers owned by root 

 ** Create sftp user as follows **

  useradd -m  -s /usr/sbin/nologin  -d /home/ftpusers/<user>  <user> 
  mkdir /home/ftpusers/<user>/home 
  chown root:root /home/ftpusers/$1/ -R
  chmod 755  /home/ftpusers/$1/
  chmod 777  /home/ftpusers/$1/home **

**2 SSHD configuration**** **

**Preliminary conditions.  **

 /etc/ssh/sshd_config should have the  following instruction 

  subsystem  sftp internal-sftp

 This config  file should also be able to load .conf files in /etc/ssh/sshd_config.d

**Chroot config for ftp users**

A file named<code> <user>.conf </code> containing the following should be created for each user in  /etc/ssh/sshd_config.d

 
<code>
 Match Group <user>
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /home/ftpusers/<user>  
 ForceCommand  internal-sftp"
 </code>

**3 Scripted user creation**

Scripts exist for enabling sections 1 and 2 to be done more efficiently. 

Scripts are located here:  /etc/ftpusers

| Script| Description | Usage |
| newftpuser.sh| Add new user | ./newftpuser.sh foobar|
| delftpuser.sh | Delete a user | ./delftpuser.sh foobar|
| map.sh| Mapping sftp drives per user, called by pam sshd at login | |
| users.conf| User mapping configuration must be manually edited after user is created | |
| sftp.log| Log of connections | tail -sftp.log|
| mountme.sh| Use for testing mounts. | ./mountme.sh|

**4 User configuration for mounting sshfs drive. **

/etc/ftpusers/map.sh  called by pam  is the bash script that creates the sshfs mount to the target host for a given user the script uses the mappings per user  is configured in users.conf
<code>
 [<user>]
 user = <user>
 path = a_folder/another/folder
 host = <host Address or name
</code>

Note:  the path is actually  /home/ a_folder/another/folder  as per the Irax standard for web sites ( perhaps we could change this in map.sh  so that /home/was not prepended)

Eg
<code>
 [iw-ian]
 user = iw-ian
 path = http-sites/ecoco/
 host = 192.168.10.10
</code>

//**Note 2  Perhaps this could be modified to load config files from a subdirectory . it would be easier to set  up a default to be automatically added in newftpuser.sh**//

**5. PAM modifications and pam radius auth**

**/etc/pam.d/sshd configuration **

We are concerned with the sshd login  so edit /etc/pam.d/sshd 

The following is the current configuration for ubuntu 24.04 LTS

Key additions to the standard sshd file are 

  auth sufficient pam_radius_auth.so

and 

  session  optional  pam_exec.so  /etc/ftpusers/map.sh


<code>
** PAM configuration for the Secure Shell service **
auth sufficient pam_radius_auth.so
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account  required  pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required  pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
#session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so close

# Set the loginuid process attribute.
session  required  pam_loginuid.so
# Create a new session keyring.
session  optional  pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session  optional  pam_motd.so  motd=/run/motd.dynamic
session  optional  pam_motd.so noupdate
session  optional  pam_exec.so  /etc/ftpusers/map.sh
# Print the status of the user's mailbox upon successful login.
session  optional  pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session  required  pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session  required  pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session  required  pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]  pam_selinux.so open
# Standard Un*x password updating.
@include common-password
</code>

**B. ftpconnect user **

****

  *There needs to be a user on the target machine that the can be used for ssh connections with the ssh keys. 
  *Sshfs relies on the user also having the same GID and UID 

  *GID and UID may be set  retrospectively using  

  usermod -u 2000 ftpconnect;groupmod -g 2000 ftpconnect

  *Or by assigning them at user creation 

  useradd  -U -u 2000 -m -s /bin/bash ftpconnect

  *The keys should be located in the usual place i.e.  home/ftpconnect/.ssh/authorized_keys.

Ian Warburton 

8th Nov 2024