Not logged in - Login
< back

FTP Retrieval System

Overview

This page documents the configuration and process for allowing warehouse data requesters to retrieve their data over ftp.

The goals of this system are as follows:

  • Allow users to retrieve their requested data over the internet.
  • Limit users to retrieving only the data they have requested
  • Disallow shell access for users - File retrieval only
  • Require that users provide a username and password when retrieving their data.
  • Require users to retrieve their data within a specified time frame.
  • Avoid duplicating data on the server.
  • Prevent users from changing data housed on the server.
  • Maintain the directory structure of requested data.
  • Automate the system configuration as much as possible.

The basic procedure is as follows:

  1. Configure the ftp server to restrict users to their home directory
  2. Create a user account and home directory for the data requester. The account is created with an expiration date and prohibition of ssh access.
  3. Create a directory tree to match that of the requested data within the users home directory.
  4. Use mount --bind to effectively symlink the tree in the users home directory to the requested data in the main data store.
  5. Generate a wget script containing the users credentials to download the requested data from the mounts in their home directory.

Preliminary Configuration

This section describes the steps necessary to configure the ftp server to accomplish the goals above. These steps have already been applied to viking.

Configure main data store for read-only access

chmod -r o+r /main_data_store/

This step is necessary to allow users to read the requested data over ftp while preventing them from adding, removing, or modifying data within the main data store (eg /data1/ and /data2). User accounts created for ftp retrieval will need to have read-only access to any data they might request. Skipping this step is a good way to allow unreleased data to be requested but not to exit the warehouse until read access is enabled

vsfptd configured for chroot to home

The ftp server daemon (vsftpd) needs to be configured to force users in to their home directory. TODO document the state of /etc/vsftpd/vsftpd.conf

ftponly shell

User accounts created for ftp retrieval will need to have a valid shell specified to complete authentication with the ftp server. In order to permit ftp authentication while preventing real ssh access an ftponly shell needs to be created. This is simply a shell script which echos a friendly warning message and exits. /etc/ftponlyshell
A shell script on viking that echos a warning and exits immediately. * Added to /etc/shells
In order to make the ftp-only shell valid its name has been added to the file /etc/shells

Automated configuration

Setup

Per User

Create user account on viking (if not existing)

useradd -m -e 2012-02-25 -s /etc/ftponlyshell username

  • -m make a home directory
  • -e YYYY-MM-DD specify expiration
  • -s /etc/ftponlyshell set users shell to the warning shell

Update existing user account

usermod -e 2012-02-25 -s /etc/ftponlyshell username

  • extend expiration?
  • ensure shell is /etc/ftponlyshell

Per Request

#Build matching directory structure for requested data in user home
mkdir -p /home/username/path_to_data/

#Expose main data store directory to user
mount --bind /main_data_store/path_to_data/ /home/username/path_to_data/
User permissions on /main_data_store/path_to_data/ must be set accordingly
  • Generate wget retrieval script with user credentials and correct path

OUT_DIR=.
DWUN=username
DWPW=password
wget -r -c -nH -P $OUT_DIR ftp://$DWUN:$DWPW@viking.cira.colostate.edu/path_to_data/

Tear Down

Per User (?)

  • Delete user account and home directory

Per Request

  • Un-mount relevant directories in /home/user/

Fix-up

Some changes have overridden the above setup. Configuration of /etc/ssh/sshd_config

##The following section enables sftp-only access for users in the sftponly group
Subsystem sftp internal-sftp
Match Group sftponly
        ChrootDirectory /home/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

It is necessary to give root ownership of /home/username and chmod 755 /home/username then create directories and mount. Script performs user set /var/DWUtils/FTPAccount/usermaker.sh Script for user deletion /var/DWUtils/FTPAccount/userdel.sh Created user account ftpacctmaker added to sudoers with nopassword access for above scripts only. web codebehind executes above script under ftpacctmaker account to create account and set up mounts.