Admin. Help
Notes to the Staff
- Administratve Documentation
- Programmer Tools
- Email Comments
- Update Backup2l restore
- Update Site restore from csz archive
- Update Restricting access to websites
- What Fail to Ban (fail2ban) is Blocking
- Install PHP5
- Content Catalog System Setup
- user access: SFTP, ssh, rssh
- Setting up Group Mailing
- Traffic Shaper
- Increase Filesystem size
- Create encrypted drive
- Possibly Obsolete Notes
Needs Update.
To be able to log in via ssh (including sftp) on cyber7, a user must now be in a group listed in the AllowGroups line in /etc/ssh/sshd_config. At this writing, these are: root, backup, cszstaff, rssh, sftp, shell.
| group | who | shell (/etc/passwd) | home directory |
| root | root | /bin/bash | /root |
| backup | cyber16's root | /bin/bash | /var/backups |
| cszstaff | mmicek, mussatto | /bin/bash, etc. | /home/staff/username |
| rssh | most maintaining users | /usr/bin/rssh | /var/www/client/username |
| sftp | additional site editors | /usr/local/bin/nosh | /var/www/client/muser |
| shell | chrooted shell users | /bin/bash? | /var/www/client/username |
New maintaining users:
New maintaining users are supposed to be created by mksite.pl, which sets them up as rssh users (see above table). As of this writing, the command mksite.pl uses for initially creating the new user is:
useradd -s /usr/bin/rssh -m -k /root/popuserskel -d /var/www/client/username username
except that doesn't include setting a password; use passwd username to set.
To convert an existing user to rssh, run sftp_env {usrname}. (This assumes the user is already created and the home directory for that user is correct.) sftp_env will set up the necessary directories for chroot, place the user in the rssh group, and list them in /etc/rssh.conf.
To add additional sftp users to an existing rssh chroot:
- the chroot directory and all parent directories must be owned by root and only owner-writable.
- the new sftp user must have its home directory set to the chroot directory
- the new sftp user must be placed in the sftp group
- the chroot etc/passwd and etc/group files should be updated to include the new sftp user
command to create user: adduser --home /var/www/client/clientid --shell /usr/local/bin/nosh --no-create-home --ingroup group username
followed by: adduser username sftp
If you need to edit them, remember to use vipw and vigr for /etc/passwd and /etc/group respectively, not joe directly. The $EDITOR environment variable for root is set to /usr/bin/joe so you will get to edit them in joe, but with proper locking.
As it currently stands (apparently; not sure why; you'd think it would work), you cannot add an sftp user that is chrooted into a subdirectory of an rssh user. However, regular FTP will do that.
To change an rssh user to a chroot'd shell user:
- change group from rssh to shell
- change shell from /usr/bin/rssh to (/bin/bash or whatever is in chroot)
- Leave the shell user's entry in /etc/rssh.conf as the list of chroot directories (e.g., for software updates).
Support if by contract only. Use of this software is without any waranttee of any kind.
CyberStrategies releases the content under Creative Commons, Share-Alike (CC-by-SA) License 