From 3c776bcbd56346cc542a1e7d5eac6b630074d63d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Tue, 7 Sep 2021 10:43:59 +0200
Subject: [PATCH] fix: explicitely set permissions/owners for .ssh directories
 of SFTP chroot user to make sure upload/auth via publickey works fine (this
 breaks again and again)

---
 tasks/configure_sftp_server.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/tasks/configure_sftp_server.yml b/tasks/configure_sftp_server.yml
index 39a1d90..80916de 100644
--- a/tasks/configure_sftp_server.yml
+++ b/tasks/configure_sftp_server.yml
@@ -11,10 +11,24 @@
   block:
     - name: separate Berechtigungen für SFTP-chroot setzen
       file:
-        path: "/home/{{ vault_sftp_upload_user }}/"
-        mode: "0750"
-        owner: "root"
-        group: "{{ vault_sftp_upload_group }}"
+        path: "{{ item.path }}"
+        mode: "{{ item.mode }}"
+        owner: "{{ item.owner }}"
+        group: "{{ item.group }}"
+      loop:
+        - path: "/home/{{ vault_sftp_upload_user }}/"
+          mode: "0750"
+          owner: "root"
+          group: "{{ vault_sftp_upload_group }}"
+        - path: "/home/{{ vault_sftp_upload_user }}/.ssh/"
+          mode: "0700"
+          owner: "{{ vault_sftp_upload_user }}"
+          group: "{{ vault_sftp_upload_group }}"
+        - path: "/home/{{ vault_sftp_upload_user }}/.ssh/authorized_keys"
+          mode: "0600"
+          owner: "{{ vault_sftp_upload_user }}"
+          group: "{{ vault_sftp_upload_group }}"
+
     - name: Konfiguration fuer SFTP-Server einspielen (1/3)
       blockinfile:
         path: "/etc/ssh/sshd_config"
-- 
GitLab