Chrooted sftp is very picky about permissions. Here's my puppet manifest for setting it up:
Code: Select all
group {"sftponly":
ensure => present,
gid => 1500,
system => false,
require => Package["setup"]
}
localuser {"sftpuser":
comment => "sftp user",
uid => "1500",
groups => sftponly,
shell => "/sbin/nologin",
password => 'big long encrypted string',
key => "#"
}
file {"/sftp":
ensure => directory,
owner => root,
group => root,
mode => 755,
require => Group["sftponly"]
}
file {"/sftp/home":
ensure => directory,
owner => root,
group => root,
mode => 755,
require => File["/sftp"]
}
file {"/sftp/home/sftpuser":
ensure => directory,
owner => root,
group => sftponly,
seltype => user_home_dir_t,
mode => 755,
require => File["/sftp/home"]
}
file {"/sftp/home/sftpuser/incoming":
ensure => directory,
owner => sftpuser,
group => sftponly,
seltype => user_home_dir_t,
mode => 755,
require => File["/sftp/home/sftpuser"]
}
selboolean {"ssh_chroot_rw_homedirs":
name => "ssh_chroot_rw_homedirs",
persistent => true,
value => on,
require => Group["sftponly"]
}
exec {"semanage-sftphome":
command => $osmajorrelease ? {
"6" => "/usr/sbin/semanage fcontext -a -f-- -t user_home_t '/sftp/home/sftpuser/incoming(/.*)?'",
"7" => "/usr/sbin/semanage fcontext -a -ff -t user_home_t '/sftp/home/sftpuser/incoming(/.*)?'"
},
unless => "/usr/sbin/semanage fcontext -l | grep -q '^/sftp/home/sftpuser/incoming(/.*)?.*regular'",
require => Package["policycoreutils-python"]
}
exec {"semanage-sftphomedirs":
command => $osmajorrelease ? {
"6" => "/usr/sbin/semanage fcontext -a -f-d -t user_home_dir_t '/sftp/home/sftpuser/incoming(/.*)?'",
"7" => "/usr/sbin/semanage fcontext -a -fd -t user_home_dir_t '/sftp/home/sftpuser/incoming(/.*)?'"
},
unless => "/usr/sbin/semanage fcontext -l | grep -q '^/sftp/home/sftpuser/incoming(/.*)?.*directory'",
require => Exec["semanage-sftphome"]
}
}