Select Git revision
configure_sftp_server.yml
configure_sftp_server.yml 6.40 KiB
---
- name: purge default SFTP-Server
ansible.builtin.lineinfile:
path: "/etc/ssh/sshd_config"
regex: '^(Subsystem\t*sftp\t*/usr/lib/openssh/sftp-server)'
line: '# \1'
backrefs: "yes"
state: present
- name: Konfiguration fuer SFTP-Server einspielen
block:
- name: separate Berechtigungen für SFTP-chroot setzen
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ item.mode }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
loop:
- path: "/home/{{ vault_sftp_upload_user }}/"
mode: "0750"
owner: "root"
group: "{{ vault_sftp_upload_group }}"
- path: "/home/{{ vault_sftp_upload_user }}/.ssh/"
mode: "0700"
owner: "{{ vault_sftp_upload_user }}"
group: "{{ vault_sftp_upload_group }}"
- path: "/home/{{ vault_sftp_upload_user }}/.ssh/authorized_keys"
mode: "0600"
owner: "{{ vault_sftp_upload_user }}"
group: "{{ vault_sftp_upload_group }}"
- name: Konfiguration fuer SFTP-Server einspielen (1/3)
ansible.builtin.blockinfile:
path: "/etc/ssh/sshd_config"
backup: "yes"
insertafter: EOF
marker: "### {mark} ANSIBLE MANAGED BLOCK - SFTP SERVER"
block: |
### SLUBArchiv SFTP server for external producers
# https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server
# https://serverfault.com/questions/73319/sftp-logging-is-there-a-way
# man 8 sftp-server
# -f log_facility The possible values are: DAEMON, USER, AUTH,
# LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5,
# LOCAL6, LOCAL7. The default is AUTH.
# -l log_level possible values are: QUIET, FATAL, ERROR, INFO,
# VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
# Default is ERROR.
# -P blacklisted_requests
# -u umask Sets an explicit umask(2) to be applied to
# newly-created files and directories, instead of
# the user's default mask.
# https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13#section-8.6
# -> we tried to block SSH_FXP_SETSTAT and SSH_FXP_FSETSTAT requests,
# but then uploads via WinSCP won't work, because it cannot set
# initial permissions and timestamps on upload. I'm still leaving
# this here for documentation, so no one tries this later again.
Subsystem sftp internal-sftp
Match User {{ vault_sftp_upload_user }}
ChrootDirectory /home/%u
# ForceCommand internal-sftp -f AUTH -l INFO -P setstat,fsetstat # LEAVE THIS HERE!!!
ForceCommand internal-sftp -f AUTH -l INFO
X11Forwarding no
AllowTcpForwarding no
Match all
register: external_ftp
notify:
- restart sshd
# http://sysadmin.circularvale.com/server-config/setting-a-umask-for-chrooted-sftp-users/
- name: Konfiguration fuer SFTP-Server einspielen (2/3)