Scribd
Upload
1K views3 pages

OneFS - Configuring SFTP Including Chroot - Dell US

This document describes how to configure SFTP access on an Isilon cluster, including using chroot directories to restrict users to certain parts of the filesystem. Key steps include assigning the ISI_PRIV_LOGIN_SSH privilege to users, configuring match statements to specify chroot paths for different users or groups, and ensuring directory permissions allow for chroot functionality. The Isilon ssh api makes it easier to manage match configurations compared to modifying configuration files directly.

Uploaded by

amineki
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views3 pages

OneFS - Configuring SFTP Including Chroot - Dell US

This document describes how to configure SFTP access on an Isilon cluster, including using chroot directories to restrict users to certain parts of the filesystem. Key steps include assigning the ISI_PRIV_LOGIN_SSH privilege to users, configuring match statements to specify chroot paths for different users or groups, and ensuring directory permissions allow for chroot functionality. The Isilon ssh api makes it easier to manage match configurations compared to modifying configuration files directly.

Uploaded by

amineki
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

06/10/2022 10:29 OneFS: Configuring SFTP including Chroot | Dell US

Article Number: 000157780 Print

OneFS: Configuring SFTP including Chroot


Summary:
This document describes how to allow access to the Isilon cluster via SFTP. There are some
limitations and considerations to keep in mind when beginning this process. Users/Groups that need SFTP
access must have the ISI_PRIV_LOGIN_SSH privilege associated with their user. SSH and SFTP access only
work within the System zone. Not all ssh configuration options are available; we support Match and
Subsystem statements via the isi ssh modify command set.

Audience Level: Partners

Article Content

Instructions

This document describes how to allow access to the Isilon cluster via SFTP. There are some limitations and considerations to keep
in mind when beginning this process.

Users/Groups that need SFTP access must have the ISI_PRIV_LOGIN_SSH privilege associated with their user
SSH and SFTP access only work within the System zone
Not all ssh configuration options are available; we support Match and Subsystem statements via the isi ssh modify command set

Outside of these factors, we operate as any other FreeBSD openssh server. You can check the OpenSSH version on a cluster using
the command ssh -V.

For more direction on how to setup roles and privileges, please refer to the CLI or Web Administration guides for your release under
the "Administrative roles and privileges" heading.

Checking if a user/group has ISI_PRIV_LOGIN_SSH


Verify that the user in question has ISI_PRIV_LOGIN_SSH. Below is an example with the default admin user.

p930-1# isi auth mapping token admin | grep "LOGIN_SSH"

ISI_PRIV_LOGIN_SSH

If there is no output, you will need to assign the user to a Role that includes that Privilege. Doing so is out of the scope of this
document. You can find more detail in how to do so in our Administration Guides for your relevant release under "Administrative
roles and privileges"

Basic SFTP access for local users


Once you have verified that a user has the correct Privileges, they should have SFTP working out the box allowing them access to
any portion of the filesystem their user mapping token would allow.

p930-1# sftp admin@localhost

(admin@localhost) Password:

Connected to localhost.

sftp> dir

sftp> cd ..

sftp> dir

admin ftp

Basic Chroot SFTP access

https://www.dell.com/support/kbdoc/en-us/article/lkbprint?ArticleNumber=000157780&AccessLevel=40&Lang=en 1/3
06/10/2022 10:29 OneFS: Configuring SFTP including Chroot | Dell US

If you want to limit a user to a specific subset of the filesystem, you can utilize OpenSSH's ChrootDirectory functionality within a
Match statement. This will cause the client to see their login path as / and makes it so they cannot leave that subset of the
filesystem. ChrootDirectory does however have strict directory permission requirements on the entire path to the ChrootDirectory,
specifically that every directory in the path have Posix Permissions of root:wheel drwxr-xr-x for more details on this, you can refer
to the OpenSSH maintainers man pages.

Here is a common Match statement for implementing ChrootDirectory. The first two lines are required for ChrootDirectory without
supporting files. The second two lines limit a user's ability to take advantage of TCPForwarding of X11Forwarding features within
OpenSSH.

Match Group admin

ChrootDirectory /ifs/sftp

ForceCommand internal-sftp"

AllowTCPForwarding no

X11Forwarding no

Below is a basic example of preparing a path for chroot when any matching users can write to the /ifs/sftp/home directory. The
directories /ifs and /ifs/sftp are both owned by root:wheel with permissions of 755 to satisfy the ChrootDirectory command, while
/ifs/sftp/home has permissions of 777 so any users can write to it.

p930-1# isi auth settings acls modify --calcmode-group=group_only --calcmode-owner=owner_only

p930-1# mkdir -p /ifs/sftp/home

p930-1# chmod 755 /ifs/

p930-1# chmod 755 /ifs/sftp

p930-1# chmod 777 /ifs/sftp/home

p930-1# isi ssh settings modify --match="Match Group admin

dquote> ChrootDirectory /ifs/sftp

dquote> ForceCommand internal-sftp"

p930-1# sftp admin@localhost

(admin@localhost) Password:

Connected to localhost.

sftp> ls

home

sftp> pwd

Remote working directory: /

Configuring multiple Match Strings


If you have more than a few Matches that need to be configured for your setup, it is usually easier to manage within a file then pass
to our isi ssh commands. Using this process sshd validates the file and only applies the change if it is valid. Below are examples of
a success and failure.

p930-1# cat /ifs/sshMatches

Match Group admin

ChrootDirectory /ifs/sftp

ForceCommand internal-sftp

AllowTCPForwarding no

X11Forwarding no

Match All

AllowTCPForwarding no

X11Forwarding no

p930-1# sshd -t -f /ifs/sshMatches && isi ssh settings modify --match="$(cat /ifs/sshMatches)"

p930-1# sshd -t -f /ifs/sshMatchBad && isi ssh settings modify --match="$(cat /ifs/sshMatchBad)"

Missing Match criteria for Allk

/ifs/sshMatchBad line 6: Bad Match condition

Match String Considerations


When setting up Match Strings, you can use any user or group identifier that the cluster is aware of. This means that you can
reference Active Directory groups with RFC2307 by domain\user.

If a user is not routing to the correct path/settings in a Match User string, verify that you are able to lookup that user on the cluster
with the command isi auth mapping token <username> taking username from your Match String.

https://www.dell.com/support/kbdoc/en-us/article/lkbprint?ArticleNumber=000157780&AccessLevel=40&Lang=en 2/3
06/10/2022 10:29 OneFS: Configuring SFTP including Chroot | Dell US

If a user is not routing to the correct path/settings in a Match Group string, verify that the user is a member of the group in question
with the command isi auth mapping token <username> | grep <groupname>. You will provide username and take groupname from
the Match String.

Below is an example of a user that is not correctly routing to a path due to a mistake in the Match Group statement. User stateroot
is not working correctly while user prodroot is, to correct this we need to correct the mistake in the groupname used in the Match
Group statement.

p930-1# isi auth mapping token stageroot | grep "LOGIN_SSH"

ISI_PRIV_LOGIN_SSH

p930-1# isi auth mapping token prodroot | grep "LOGIN_SSH"

ISI_PRIV_LOGIN_SSH

p930-1# cat /ifs/sshMatches

Match Group Stage-Root-SFTP

ChrootDirectory /ifs/home/Stage-Root

AllowTCPForwarding no

X11Forwarding no

ForceCommand internal-sftp

Match Group Prod-Root

ChrootDirectory /ifs/home/Prod-Root

AllowTCPForwarding no

X11Forwarding no

ForceCommand internal-sftp

p930-1# isi auth mapping token stageroot | grep "Stage-Root-SFTP"

p930-1# isi auth mapping token prodroot | grep "Prod-Root"

Name: Prod-Root

p930-1# isi auth mapping token stageroot | grep "Stage-Root"

Name: Stage-Root

Legacy Configurations
Prior to OneFS 8.2 this same functionality could be accomplished, but the isi ssh api did not yet exist. Instead of using isi ssh
settings modify --match="" you will edit the file /etc/mcp/templates/sshd_config with the same Match Strings you would have in
the steps above. Just add them to the end of /etc/mcp/templates/sshd_config.

The directions provided should work for OneFS versions prior to isi ssh, but any configuration adjustments done in this manner will
be removed after upgrading to a OneFS version with api support. Users that use SFTP access still require the ISI_PRIV_LOGIN_SSH
privilege.

Article Properties

Last Published Date


17 May 2022

Version
4

Article Type
How To

https://www.dell.com/support/kbdoc/en-us/article/lkbprint?ArticleNumber=000157780&AccessLevel=40&Lang=en 3/3

You might also like