Monday, May 9, 2016

SFTP server configuration in Debian Linux

SFTP stands for SSH file transfer protocol, It is not the actual FTP server, rather the extension of SSH, which uses SSH tunnel to transfer the files between server and client.

SFTP is more than SCP, as it supports more features than SCP with an integration of remote SCP client. If you want to learn more about SFTP check out this wiki.

OK, to configure SFTP we don't need to install extra packages, as I have already told you , it's just an extension of ssh, you might be guessing,  you need to make some tweaks to your sshd_config file, you are right.
OK,
Open your sshd_config file, which resides under /etc/ directory, feel free to use any text editor you want. I love VIM.



vim /etc/ssh/sshd_config
Inside sshd_config file on line no 77 change,  #Subsystem sftp /usr/lib/openssh/sftp-server to
Subsystem sftp internal-sftp
and uncomment this line. Next, we need to define a policy,  based on user or a group. At the last of a sshd_config file, put the following code given below.
 Match Group Sftp_Group
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  PermitTunnel no
  X11Forwarding no
The above policy tells sftp server to authenticate all the users which belong to Sftp_Group and Chroot them only into their home directory so that they can't browse and access the parent directories and other user directories, which they don't have permission to do.  And one important thing to keep in mind while configuring sftp server is, the parent directory must be  always owned by a root user. Let's say, We want to export the home directory of a user test and we want her to confine into her home directory only. To do that first we need to create a test user with a home directory test(of course, you can create a home directory with any name) and make her a member of Sftp_Group, such that the parent directory of a test user must own by the root user. Let's create a test user.
 
 useradd -m -d /home/test -s /usr/sbin/nologin -G Sftp_Group -g Sftp_Group

The above command adds a user test with a home directory test and the secondary group Sftp_Group. As we know parent directory should be owned by the root user
ONLY BY THE ROOT USER. Now, the user test has been created. Let's set the password for user test
passwd test
The above command will let you set a password for user test. Using password command we have also set a password for user test. Now it's time to create a public_html dir under the /test directory, such that it is owned by the user test and the parent directory of this public_html is owned by a user root.
mkdir /home/test/public_html
chown test:test /home/test/public_html
chown root:root /home/test

With the above series of commands, we can now access the sftp server via sftp client.
To test using SFTP, You can use any SFTP client, in a market there are many sftp clients some of them are advance with a feature of a window explorer integrations. For testing purpose. Filezilla would be perfect for us.

One final thing, Before connecting to our SFTP server, we need to restart our SSH server,
systemctl restart ssh
To connect to the SFTP server, we need to prefix the server name with a a sftp prefix as shown below.

Tuesday, April 12, 2016

Stand alone samba 4 File sharing server configuration in Ubuntu 14.04 Linux server

Samba is file and print service, which is used to share files across a cross platforms. In this post, I am going to show you, how to install and configure the SAMBA server as a file sharing server. First, we will create a different users, which belongs to  different groups, and we will also create a directory  Engineering and Administration, such that Administration directory consists of extra three directories named as HR, Logistic, and Finance as shown in the tree structure below.

└───Administration
    ├───Finance
    ├───HR
    └───Logistic
magautam@manoj1947:~$ cd /home
magautam@manoj1947:~$ sudo mkdir Engineering Administration
magautam@manoj1947:~$ sudo cd Administration && mkdir Finance HR Logistic

So, according to our directory structure, let us create a different group, which will have different types of permission level to the different directories as shown below.

Finance_Group: will have, read, write and execute permission to Finance directory
HR_Group: will have,  read, write and execute permission to HR directory.
Logistic_Group: will have read, write and execute permission to Logistic directory
Engineering_Group: will have read, write and execute permission to Engineering directory
Finance_Group: will have read and execute permission to Logistic directory.

root@manoj1947:~# groupadd Engineering_Group
root@manoj1947:~# groupadd Logistic_Group
root@manoj1947:~# groupadd Finance_Group
root@manoj1947:~# groupadd HR_Group

so, we are done with the permission policy, now let us create four users, which belongs to different groups

I have identified the following user which belongs to the following groups.

Manoj Gautam belongs to Engineering_Group
Kevin Khadka belongs to Finance_Group
Aliza Shrestha belongs to HR_Group
Pratish Shrestha belongs to Logistic_Group 

So, now let us add these users to our Linux server.

magautam@manoj1947:~$ sudo useradd -m -d /home/Personal\ Folders/manoj  -s /bin/bash -c "Manoj Gautam" -g Engineering_Group -G Manoj1947_Group pshakya

Let us add user aliza, who belongs to HR_Group
magautam@manoj1947:~$ sudo useradd ashrestha -m -d /home/Personal\ Folders/aliza -g HR_Group -G Manoj1947_Group -c "Aliza Shrestha" -s /sbin/nologin

Let us add user pratish, who belongs to Logistic_Group
magautam@manoj1947:~$ sudo useradd pshrestha -m -d /home/Personal\ Folders/pratish -g Logistic_Group -G Manoj1947_Group -c "Pratish Shrestha" -s /sbin/nologin

Let us add user Kevin, who belongs to Finance Group
magautam@manoj1947:~$ sudo useradd kkhadka -m -d /home/Personal\ Folders/kevin -g Finance_Group -G Manoj1947_Group -c "Kevin Khadka" -s /sbin/nologin

So, the above series of command will add the Linux user to our Linux Samba system with respective groups.

We are done with the user and groups creation, now it is time to install samba server in our  ubuntu server.

sudo apt-get upgrade && sudo apt-get install samba 

The configuration file of the samba services is located under /etc/samba/smb.conf, so we will share our directories using this file to the outside world.

Ok, before sharing our directories, let us set the permission to our directories, we can set the permission using UNIX file permission methods, but for the complex permission strategies  we can use ACL also called Access control list,  by default ACL packages is not installed, so we need to install it.

sudo apt-get install acl

ACL has been installed, so we got the setfacl command to set the permission in our directories.

Before playing with setfacl,  ACL must be supported by our file system. To check whether the acl has been supported or not, just issue the following commands against your file system.


sudo tune2fs -l /dev/sda1 | grep acl

If you see the output like  Default mount options: user_xattr acl  that's good news, our file system support acl. To enable ACL in our file system, just edit fstab file and append acl in mount option as shown in the snapshot below.



Enabling the ACL has been done, now its time to apply the ACL policies in our directories.
As from our previous policy, we want, only Engineering_Group can access the Engineering directory, to set this permission, use  setfacl command as shown below.

sudo setfacl -Rm g:Engineering_Group:rwx,o:--- Engineering/
sudo setfacl -Rm d:g:Engineering_Group:rwx,o:--- Engineering/

The first command provides the read, write and execute permission in Engineering directory to all those users who belongs to the Engineering_Group, but for others, no read, write and execute permission.

The second command will set the default read, write and execute permission to the file and directories which will be created in the future.

Similarly, we can create the permission for other directories as well.

#only logistic_group can have read, write and excecute permission to Logistic directoy.
sudo setfacl -Rm g:Logistic_Group:rwx,o:--- Logistic/
sudo setfacl -Rm d:g:Logistic_Group:rwx,o:--- Logistic/

#only HR_Group can have read, write and execute permission to HR directory.
sudo setfacl -Rm g:HR_Group:rwx,o:--- Hr/
sudo setfacl -Rm d:g:HR_Group:rwx,o:--- Hr/


We also want to have the read only permission to Logistic directory for Finance_Group, so let's set the permission as well.
sudo setfacl g:Finance_Group:r-x Logistic/
sudo setfacl d:Finance_Group:r-x Logistic/

Also, the Administration directory must have read and execute permission to others as well, which is r-x mode by default.

So, we are done with the permission, now it is time to share the directories. To share the directory, we need to edit the smb.conf file and share the directories as shown below

[global]
        server string = %h server (Samba, Ubuntu)
        server role = standalone server
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        unix extensions = No
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        wide links = Yes

[Engineering]
        comment = "Share Engineering directory"
        path = /home/Engineering
        read only = No

[Administration]
        path = /home/Administration/
        read only = No

So, now you are done with Sharing and setting the permission, it's time to test our setup.
Open your window machine and access the Samba server as shown below, as my server IP is 192.168.10.4 as shown below














So, let us click to Administration directory, When I clicked to Administration directory, it prompt me to enter the network credentials.  Let us try to login to our server using kkhadka username and it's password., as kkhadka has the permission to access the Finance folder with read and write permission and Logistic with only read permission.



After entering the valid credentials, I was able to login and access the Finance folder as shown below.

But when I try to access the HR folder, with same credentials, as window OS remember our credentials, I was denied to access the HR Folder.


So, that's it on setting up the Samba server as a standalone File server, We can do much more with samba server, we can set up a samba server as a PDC(Primary Domain Controller) and much more, to explore more about samba server please visit samba documentation.