Ryan Kozak

Network Architect based in Vancouver, BC.

Posts

Links

Fingerprint

c6a1 8eb3 d0b2 4298 3afc 9279 feda 1ff5 75cc 1b01

Copyright (c) Ryan Kozak. Programs and code snippets licensed under the GNU GPL v3 license. Other content licensed under the CC BY-SA 4.0 license.

Powered by Jekyll — Theme by BDHU, modified by Ryan Kozak.

OpenSSH SFTP Server for Config Archiving with Chroot

Posted on April 25 2022 under linux and security

Install Software and Initialize the Environment

sudo su -
apt-get install git rssh
git clone https://github.com/nkadel/rssh-chroot-tools.git
mkdir /var/backups
./rssh-chroot-tools/mkchroot.sh /var/backups
mkdir /var/backups/home
groupadd --system backups

Configure OpenSSH Server

Edit /etc/ssh/sshd_config:

PasswordAuthentication yes
Match group backups
    AllowTcpForwarding no
    X11Forwarding no

Restart OpenSSH: systemctl restart ssh

Configure RSSH

Edit /etc/rssh.conf:

:warning: Leave any chrootpath = lines commented out. :warning:

allowscp
allowsftp
umask = 077

Create User(s)

useradd --create-home --base-dir /var/backups/home --shell /usr/bin/rssh --groups backups <hostname>
passwd <hostname>
./rssh-chroot-tools/mkchroot-passwd.sh /var/backups

Configure Archiving

Cisco IOS-XE

:warning: Some special characters will cause a silent failure if used in the password. If you encounter this, try escaping those characters with a backslash. :warning:

archive
 path scp://<username>:<password>@<server>/<path>/
 maximum 14
 time-period 10080
 write-memory
 log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  exit
 exit