Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:nologin-rsync-only [2017/11/07 14:33] – michael | linux:nologin-rsync-only [2017/11/08 10:26] (current) – michael | ||
---|---|---|---|
Line 3: | Line 3: | ||
<WRAP center box 100%> | <WRAP center box 100%> | ||
- | ===== Konfiguration ===== | + | ===== Möglichkeit 1 - Konfiguration |
+ | <wrap em> | ||
- '' | - '' | ||
- '' | - '' | ||
Line 69: | Line 71: | ||
| | ||
| | ||
- | </ | + | </ |
- | * Using the **'' | + | |
- | * Or using a single hardcoded directory name -> '' | + | * **Keep in mind:** There is no need, to create an Group, if just one user should be able to have Access. In this case replace "Match group pfrsynconly" with "Match user pfrsync" |
- | | + | |
---- | ---- | ||
Line 82: | Line 83: | ||
</ | </ | ||
</ | </ | ||
+ | |||
---- | ---- | ||
- | ===== Testen der Konfiguration ===== | + | <WRAP center box 100%> |
+ | ===== Möglichkeit 2 - Konfiguration | ||
+ | <wrap em> | ||
+ | - '' | ||
+ | - '' | ||
+ | # usermod -aG lshell pfrsync</ | ||
+ | - '' | ||
+ | - '' | ||
+ | |||
+ | # vim / | ||
+ | # | ||
+ | # $Id: lshell.conf, | ||
+ | |||
+ | [global] | ||
+ | logpath | ||
+ | loglevel | ||
+ | # | ||
+ | |||
+ | [default] | ||
+ | allowed | ||
+ | forbidden | ||
+ | ## number of warnings when user enters a forbidden value before getting | ||
+ | ## exited from lshell, set to -1 to disable. | ||
+ | warning_counter : 2 | ||
+ | aliases | ||
+ | |||
+ | ## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, | ||
+ | # | ||
+ | |||
+ | ## logging strictness. If set to 1, any unknown command is considered as | ||
+ | ## forbidden, and user's warning counter is decreased. If set to 0, command is | ||
+ | ## considered as unknown, and user is only warned (i.e. *** unknown synthax) | ||
+ | strict | ||
+ | |||
+ | ## force files sent through scp to a specific directory | ||
+ | # | ||
+ | |||
+ | ## history file maximum size | ||
+ | # | ||
+ | |||
+ | ## set history file name (default is / | ||
+ | # | ||
+ | |||
+ | [pfrsync] | ||
+ | path : ['/ | ||
+ | home_path | ||
+ | overssh | ||
+ | ## define the script to run at user login | ||
+ | # | ||
+ | </ | ||
+ | - '' | ||
+ | # sshd_config managed by puppet, do not edit by hand! | ||
+ | # | ||
+ | |||
+ | Port 22 | ||
+ | ListenAddress 172.31.130.28 | ||
+ | Protocol 2 | ||
+ | HostKey / | ||
+ | HostKey / | ||
+ | LoginGraceTime 2m | ||
+ | |||
+ | PermitRootLogin no | ||
+ | StrictModes yes | ||
+ | DSAAuthentication yes | ||
+ | AuthorizedKeysFile / | ||
+ | HostbasedAuthentication no | ||
+ | IgnoreRhosts yes | ||
+ | PasswordAuthentication no | ||
+ | PermitEmptyPasswords no | ||
+ | |||
+ | ChallengeResponseAuthentication no | ||
+ | UsePAM yes | ||
+ | |||
+ | X11Forwarding yes | ||
+ | UsePrivilegeSeparation yes | ||
+ | |||
+ | Subsystem | ||
+ | ClientAliveInterval 60 | ||
+ | ClientAliveCountMax 5 | ||
+ | AllowTcpForwarding yes | ||
+ | |||
+ | LogLevel INFO | ||
+ | MaxAuthTries 4 | ||
+ | PermitUserEnvironment no | ||
+ | Ciphers aes128-ctr, | ||
+ | KexAlgorithms curve25519-sha256@libssh.org, | ||
+ | MACs hmac-sha2-256, | ||
+ | PubkeyAuthentication yes | ||
+ | AllowAgentForwarding yes | ||
+ | |||
+ | Match group pfrsync | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | * <wrap em>Keep in mind:</ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | <wrap em>After all changes, restart sshd!</ | ||
+ | |||
+ | < | ||
+ | # systemctl restart sshd | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | ---- | ||
+ | ===== Weiteres: ===== | ||
+ | * '' |