LOLPIGZ
How to set up and chroot SFTP users with OpenSSH 5.1p1 in Ubuntu 8.10
(This is mostly an edited copy-and-paste from a forum post I wrote several months ago.)
I had been wanting to set up an encrypted-transaction FTP server for a while (SFTP) in a chrooted environment, so I did a few hours of half-baked-blog parsing and keyboard-pounding in order to figure this out in a way that would work consistently, even if it isn’t 100% efficient. Your noob-radar should be flashing right about now ;). Since version 4.8, openssh has had the ability to (fairly) easily chroot sftp users into a specified directory using a new sshd_config directive, ChrootDirectory. The purpose of this guide is to demonstrate how to set up a simple chrooted sftp system from square one implementing this self-contained chroot mechanism (using only openssh without the need for rssh), and how to add users under this paradigm.
(1) Installation and initial configuration
It is possible that ssh is not installed, so:
$ sudo apt-get install sshWe need to configure the sftp subsystem to use the internal sftp module. Open
/etc/ssh/sshd_configin a text editor (you will probably have to use “sudo”), and find the line that starts with “Subsystem sftp”. Comment out (or delete) this line, and replace it with:
Subsystem sftp internal-sftpSave and exit your editor.
(2) User Setup
This section should be repeated for each user to whom you grant sftp-only access.
Because sftp (as included with openssh) wraps around ssh, your users are going to need system accounts. Let’s prepare a user named “johndoe” (replace “johndoe” with whatever new user account you wish). The user “johndoe” should, in this case, only be able to log in using sftp (as opposed to ssh) once we’re done.
$ sudo mkdir /home/johndoe
$ sudo useradd johndoeWe’ll have to set their home directory permissions appropriately. It’s important that root owns this and that its group ID is identical to the username, and that the permissions are set so that only root can write:
$ sudo chown root:johndoe /home/johndoe
$ sudo chmod 755 /home/johndoeForce the normal login directory just in case:
$ sudo usermod -d /home/johndoe johndoeNow give him a password:
$ sudo passwd johndoeSet the new user a dummy shell (so they don’t have real shell access).
$ sudo usermod -s /bin/false johndoeNow we need to indicate that this particular user must be jailed into their home directory. Once again, open /etc/ssh/sshd_config in a text editor, and add the following at the end of the file:
Match User johndoe
ChrootDirectory /home/johndoe
ForceCommand internal-sftpNow, user johndoe should have read access to his home directory. Let’s give him a place to upload stuff:
$ sudo mkdir /home/johndoe/upload
$ sudo chown johndoe:johndoe /home/johndoe/upload
$ sudo chmod 755 /home/johndoe/uploadDone! Restart the ssh daemon (run this any time you want changes to become effective):
sudo /etc/init.d/ssh restart(3) Giving SFTP users read access to some other directory
As an interesting aside, let’s say you (the sysadmin) have a common info/media/data directory you wish to share with your sftp users without actually copying all that data over (or allowing it to be edited/deleted/corrupted). We can do this by mounting it read-only somewhere in their login directory. They’re going to need a place to get to it:
$ sudo mkdir /home/johndoe/readonlyNow we mount our directory of choice (in this example, /home/sysadmin/junk/shared-data) as read-only in said folder:
$ sudo mount -r --bind /home/sysadmin/junk/shared-data /home/johndoe/readonlyIt will probably help to have this happen automatically on startup. Anything added to rc.local will run as root at startup, so there is no need to indicate ’sudo’. If you have multiple users (or even just one) it helps to add something like this to /etc/rc.local (before the “exit 0″ line of course):
for user in johndoe marysue someguy
do
mount -r --bind /home/sysadmin/junk/shared-data /home/$user/readonly
doneNote: You cannot mount more than one folder/device/partition/netshare in a particular location. Doing so won’t damage anything, but the mount point will only display the object mounted last in sequence. There are other constraints which you may discover, but those are beyond the scope of this guide (and they make me drink).
VNC over SSH in Ubuntu 8.10 (Ubuntu to Ubuntu)
This procedure describes how to set up and connect to a VNC server over an SSH tunnel from one Ubuntu machine to another. I am making the assumption that an SSH server is already running on the host machine, and that the host is running Kubuntu. It shouldn’t be hard to figure out the equivalent autostart directory for GNOME, but for newer versions of GNOME I believe it’s in the ~/.config/autostart/ directory.
Credit goes to ubuntuguide.org and ubuntu-tutorials.org for almost all these details.
On the host (the machine which will be running the VNC server):
Install the VNC server:
$ sudo apt-get install x11vnc
$ mkdir ~/.vncCreate the VNC server’s password file (substituting a plaintext VNC login password for YOUR_PASSWORD):
$ x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.passNow create an autostart file that will run each time. For newer versions of GNOME, the path should be to a filename of your choosing in the directory ~/.config/autostart/ but I can’t promise that unless someone verifies it for me. For KDE, the path can be exactly as shown below:
$ nano ~/.kde/Autostart/x11vnc.shAdd the following lines:
#!/bin/bash
/usr/bin/x11vnc -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0Save/exit the text editor, then make the autostart file executable.
$ chmod +x ~/.kde/Autostart/x11vnc.shRun the autostart file (or reboot the machine) to start the VNC server:
$ ~/.kde/Autostart/x11vnc.shNow, on the client machine:
Install a VNC client:
$ sudo apt-get install xvnc4viewerHere we make the assumption that the host SSH server is running on the default port (22). Now type the following command and you should enter a VNC session, after being prompted for the user login password and then the VNC login password (substituting the proper username for “user” and IP or domain for “host”, but “localhost” is literal, do not change it):
$ vncviewer -via user@host localhost:0In the event that the host is running its SSH server on port XYZ instead of port 22, you may use the following command, with the same caveats as above:
$ vncviewer -via "user@host -p port" localhost:0(Can someone unit-test this for me? I’m lazy and did most of this from memory.)
MAGIC 
Automatic horizontal scrollbars in Wordpress <code> blocks
Since wrapped lines of code in Wordpress’ <code> blocks are obnoxious, here’s how to make them automagically appear when you run past the end of a line, instead of wrapping and confuzzling things.
Edit your theme’s style.css file. Find the block that starts:
#content code {
...
}Inside the braces, add a line somewhere that reads:
overflow: auto;For example, this part of my style.css file now reads:
#content blockquote, #content code {
border-left: 5px #DDD solid;
background: #F5F5F5;
padding: 5px 0 2px 10px;
margin: 0 0 10px 20px;
}
#content code {
font: 12px Monaco, "Lucida Console", "Courier New", "Courier", monospace;
display: block;
overflow: auto;
}Now go back through the HTML of one of your postings and nest all <code></code> blocks inside <pre></pre> blocks. E.g., where you once had something like:
<code>$ example</code>You will now have something like this:
<pre><code>$ example</code></pre>That’s all!
MAGIC
Scriptable sendmail via Gmail in Ubuntu 8.04*
*There’s no reason this shouldn’t work in later versions.
The purpose of this setup is to configure Ubuntu Linux so that you can send an email with a single command from a bash terminal. The idea behind this is that once set up to do it, your computer can now actively alert you (or others) to state changes of your choosing (or not). Phosphorus and Lime deserves accolades for a great deal of this procedure. My omissions/simplifications assume that you are setting this up from scratch, and are only planning to use this through an existing gmail account.
Now then. You’re going to need a mail client and a SMTP handler. For these purposes, mailx and msmtp, respectively, will serve you well.
$ sudo apt-get install mailx msmtpGoogle’s SMTP service (kindly provided free for gmail account holders) makes use of Thawte SSL certificates. Since /etc is only writeable by root (meaning “sudo sudo sudo sudo”), let’s dump and configure them in ~/ like so:
$ mkdir -p ~/.etc/.certs
$ chmod 0700 ~/.etc/.certs
$ cd ~/.etc/.certs
$ wget https://www.verisign.com/support/thawte-roots.zip --no-check-certificate
$ unzip thawte-roots.zip
$ cp Thawte\ Server\ Roots/ThawtePremiumServerCA_b64.txt ThawtePremiumServerCA.crtmsmtp reads a local config file ( ~/.msmtprc ), containing several important directives, at runtime. Open a text editor and create it:
$ nano ~/.msmtprc…then enter the following (customized to your account):
account gmail
auth on
host smtp.gmail.com
port 587
# your email address and password on the next 3 lines...
user yourgmailaccount@gmail.com
password yourpasswordhere
from yourgmailaccount@gmail.com
tls on
tls_starttls on
# tls_trust_file argument is the full path to the certificate
# "myusername" is, uh, your user name
tls_trust_file /home/myusername/.etc/.certs/ThawtePremiumServerCA.crt
maildomain gmail.com
account default : gmailSave and exit (or in nano’s case, exit and save) your editor, then give only yourself read/write permissions to the file:
code>$ chmod 600 ~/.msmtprc
Now we configure some runtime parameters for mailx:
$ nano ~/.mailrcAdd the following lines, customized to your gmail account:
set from="yourgmailaccount@gmail.com"
set sendmail="/usr/bin/msmtp"
set message-sendmail-extra-arguments="-a gmail"Make sure you’ve opened port 587 to the outside world from your computer through your router!
Save/exit. If you’re so inclined, you can create a preformatted plaintext file which will serve as the body of the email. As you can imagine, this opens up all sorts of options to you.
Example:
$ echo "Here's some stuff that will appear in the body of the email." > /tmp/email_body.txt
$ echo -n "Sent on " >> /tmp/email_body.txt
$ date >> /tmp/email_body.txtYou should be able to fire off an email to example@gmail.com using the syntax shown:
$ mailx -s "O HAI SUBJECT LINE" example@gmail.com < /tmp/email_body.txtMAGIC