Commit 322f2062 authored by root's avatar root

feat: sshd config for sftpusers

parent dfd85989
......@@ -97,7 +97,7 @@ ou: sendermail
```
## Requirements
# Requirements
* LDAP Server
* Phamm schema + additional Objects
......@@ -105,7 +105,7 @@ ou: sendermail
* Wsgi-express
* libnss-ldapd libpam-ldapd
## Installation
# Installation
```
# apt-get install python3-dev apache2-dev libpq-dev
......@@ -140,10 +140,10 @@ ProxyPassReverse /django http://localhost:8000/
allow from all
</Proxy>
```
# To run django in development:
## To run django in development:
mod_wsgi-express start-server --url-alias /static ./static mxcp/wsgi.py
# To run django as another user (eg: myuser) - Need to be root:
## To run django as another user (eg: myuser) - Need to be root:
mod_wsgi-express start-server --user=myuser --group mygroup --debug-mode --reload-on-changes --url-alias /static ./static mxcp/wsgi.py
This will generate the SECRET_KEY for the installation in the file mxcp/key_file.py
......@@ -152,13 +152,37 @@ mod_wsgi-express start-server --user=myuser --group mygroup --debug-mode --reloa
-rw------- 1 myuser sudo 65 ene 31 09:11 key_file.py
## System settings
### Users
# System settings
Following configurations are out of the scoe of this repository. Anyway , we include these additional system settings for Debian stretch in order to enable ldap authetication on your system and to jail sftpusers.
You may use it or check some external tutorial in order to enable these features, according to your system.
## Users
The sftpusers can be jailed in their own home. For that some Linux System settings are required
* Create a group named sftpusers
* Edit /etc/ssh/sshd_cnfig to jail users in sftpusers group
```
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
PrintMotd no
Subsystem sftp /usr/lib/openssh/sftp-server -u 0002
UsePAM yes
X11Forwarding yes
Match Group sftpusers
AllowAgentForwarding no
AllowTcpForwarding no
ChrootDirectory /home/sftpusers
ForceCommand internal-sftp
PermitTunnel no
X11Forwarding no
```
### Apache Vhosts
## Apache Vhosts
user can add domains through the interface which will be set up as Apache Virtualhosts by a script. If you want to enable this feature you need to:
* Dowmload the following script and place it somewhere in your system. make it only readable and executable by root:
......@@ -175,11 +199,9 @@ IncludeOptional ldap-enabled/*.conf
*/5 * * * * /bin/sleep `/usr/bin/numrandom /0..60/`s ; /bin/bash /path/of/script/system-cron/ldapsearch.sh > /dev/null 2>&1
# Enable ldap authentication
Following configurations are out of the scoe of this repository. Anyway , we include these additional system settings for Debian stretch in order to enable ldap authetication on your system.
You may use it or check some external tutorial in order to enable it, according to your system.
## Enable ldap authentication
## nscld
### nscld
Configure /etc/nslcd.conf according to your system. An example to allow users in ou=People,dc=example,dc=tld to authenticate to servcies (ssh, openvpn, apache etc) :
......@@ -227,7 +249,7 @@ olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
```
## nsswitch
### nsswitch
Edit /etc/nsswitch.conf
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment