search

dev-sec / chef-ssh-hardening

This chef cookbook provides secure ssh-client and ssh-server configurations.
http://dev-sec.io/
Apache License 2.0
160 stars 70 forks source link

Allow configuration of multiple SFTP groups #216

Open sean-nixon opened 5 years ago

sean-nixon commented 5 years ago

Is your feature request related to a problem? Please describe. I am trying to reproduce an SFTP config with multiple groups with distinct configurations (chroot, AuthorizedKeysFile, etc.). We have a use case where we want org level users to have chroot set to the full ftp directory and "guest" users to use a sub-directory associated with their user. Right now the cookbook only supports a single SFTP group.

Describe the solution you'd like Ideally, I'd a hash where each element would correspond to a group and have the related configurations beneath it. For backwards compatibility, it could be something like default['ssh-hardening']['ssh']['server']['sftp']['extra-groups'] which defaults to nil and is appended to the main group config. So, for example, the attributes would be:

default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['chroot'] = '/home/%u'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group1']['password_authentication'] = true
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['chroot'] = '/home'
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['password_authentication'] = false
default['ssh-hardening']['ssh']['server']['sftp']['extra-groups']['group2']['authorized_keys_file'] = '/path'

would create the config:

Match Group group1
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        PasswordAuthentication yes
        ...

Match Group group2
        ChrootDirectory /home
        ForceCommand internal-sftp
        PasswordAuthentication no
        AuthorizedKeysFile /path
        ...

Describe alternatives you've considered I've considered as a workaround disabling SFTP in the attributes and using the generic "extras" config to manually place all of the config necessary for SFTP. I've yet to test this, but it is not ideal because it creates additional burden to maintain and secure that config and could break with future versions of the cookbook.

chris-rock commented 5 years ago

@sean-nixon It sounds right to me to add support for deeper sftp configuration. As you suggested, we should keep it backwards compatible. Any PRs to make it happen are welcome.