tags: - golang - sftp categories: - informational comments: true

date: 2021-09-04 00:00:00

DESCRIPTION

go based sftp server. Can be run as a regular user. Server has two modes. This runbook only describes the basic mode - sftpgo portable --help

Details https://github.com/drakkan/sftpgo/blob/main/README.md

Explanation of configuration https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md

If security is a concern, the service can run in chroot env, or systemd service. (with restrictions) See: https://www.redhat.com/sysadmin/systemd-secure-services

ERRORS

VERIFICATION

• On client machine

sftp -i colomboman -P 4444 colomboman@192.168.1.100

Where 192.168.1.100 is where the service was installed.

COMMANDS

• ssh root@192.168.1.100

• Download/build sftpgo

git clone https://github.com/drakkan/sftpgo
cd sftpgo
go build -trimpath -ldflags "-s -w"

NOTE: CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" fails due to go-sqlite issue

• Copy binary - sftpgo to user folder /opt/gosftpuser/bin (created below)
• Add user, create folders, set permissions

useradd -s /usr/sbin/nologin -m /opt/gosftpuser gosftpuser
mkdir -p /opt/gosftpuser
chmod 0750 /opt/gosftpuser

cd /opt/gosftpuser
mkdir bin
mkdir service
cd bin

• Install daemontools - will be supervising the job

apt-get update; apt-get install daemontools

• Create start up script - gw_init - that will be called in cron

cat >gw_init<<EOF
#! /bin/bash

umask 0077

cd "$(dirname "$0")/.."
export BASEDIR="$PWD"
export PATH=$PWD/bin:$PATH

## required since we are using cron
nc -w 5 -v -z 127.0.0.1 4444 >/dev/null 2>&1 && exit

exec gw_run
EOF
chmod +x gw_run

• Create script to call svscan(daemontools)

cat >gw_run<<EOF
#!/bin/bash

set -o errexit
set -o nounset
set -o pipefail

PATH=/bin:/usr/bin:/sbin:/usr/sbin
exec pgrphack svscan /opt/sftpgo/service

• sftpgo startup script - sets up username,keys, folder to serve, etc
• the SSH public key for the user that will be using the service has to be added as KEY
• Use ssh-keyget -t rsa -f colomboman to create the pair

cat >>start-sftpgo<<EOF
#! /bin/bash

set -o errexit
set -o nounset
set -o pipefail

PATH="$HOME/bin:$PATH"

PORT=4444
DIR="/opt/remote/data"
SFTP_USER=colomboman
## Public key of the user colomboman
KEY="ssh-rsa ......"

#NOTE: portable cannot disable password - if no password is set, password authentication will fail
# service limitations set via systemd: see /lib/systemd/system/sftpgo.service
sftpgo portable --username "$SFTP_USER" --public-key "$KEY" --sftpd-port "$PORT" --directory "$DIR" --permissions '*'
EOF

• daemontools: service folder setup
• when the service starts, sftpgo server ssh key pairs (if not available) will be created here (sftpgo will detect and create them on the first start)

cd ../service
mkdir sftpgo
cd sftpgo
ln -sf ../../bin/start-sftpgo run

Once the service is started, the following files will be created by sftpgo (ssh keys)

ls service/sftpgo
id_ecdsa  id_ecdsa.pub  id_ed25519  id_ed25519.pub  id_rsa  id_rsa.pub

• Change the permissions of all files created under user

chown -R gosftpuser:gosftpuser /opt/gosftpuser

• Add the cronjob for the service

• /var/spool/cron/crontabs/gosftpuser

*/5 * * * * $HOME/bin/gw_init