FTP Retrieval System
OverviewThis page documents the configuration and process for allowing warehouse data requesters to retrieve their data over ftp.
The goals of this system are as follows:
- Allow users to retrieve their requested data over the internet.
- Limit users to retrieving only the data they have requested
- Disallow shell access for users - File retrieval only
- Require that users provide a username and password when retrieving their data.
- Require users to retrieve their data within a specified time frame.
- Avoid duplicating data on the server.
- Prevent users from changing data housed on the server.
- Maintain the directory structure of requested data.
- Automate the system configuration as much as possible.
The basic procedure is as follows:
- Configure the ftp server to restrict users to their home directory
- Create a user account and home directory for the data requester. The account is created with an expiration date and prohibition of ssh access.
- Create a directory tree to match that of the requested data within the users home directory.
- Use mount --bind to effectively symlink the tree in the users home directory to the requested data in the main data store.
- Generate a wget script containing the users credentials to download the requested data from the mounts in their home directory.
Preliminary ConfigurationThis section describes the steps necessary to configure the ftp server to accomplish the goals above. These steps have already been applied to viking.
Configure main data store for read-only access
chmod -r o+r /main_data_store/
This step is necessary to allow users to read the requested data over ftp while preventing them from adding, removing, or modifying data within the main data store (eg /data1/ and /data2). User accounts created for ftp retrieval will need to have read-only access to any data they might request. Skipping this step is a good way to allow unreleased data to be requested but not to exit the warehouse until read access is enabled
vsfptd configured for chroot to homeThe ftp server daemon (vsftpd) needs to be configured to force users in to their home directory. TODO document the state of /etc/vsftpd/vsftpd.conf
ftponly shellUser accounts created for ftp retrieval will need to have a valid shell specified to complete authentication with the ftp server. In order to permit ftp authentication while preventing real ssh access an ftponly shell needs to be created. This is simply a shell script which echos a friendly warning message and exits. /etc/ftponlyshell
A shell script on viking that echos a warning and exits immediately. * Added to /etc/shells
In order to make the ftp-only shell valid its name has been added to the file /etc/shells
Create user account on viking (if not existing)
useradd -m -e 2012-02-25 -s /etc/ftponlyshell username
- -m make a home directory
- -e YYYY-MM-DD specify expiration
- -s /etc/ftponlyshell set users shell to the warning shell
Update existing user account
usermod -e 2012-02-25 -s /etc/ftponlyshell username
- extend expiration?
- ensure shell is /etc/ftponlyshell
#Build matching directory structure for requested data in user home mkdir -p /home/username/path_to_data/ #Expose main data store directory to user mount --bind /main_data_store/path_to_data/ /home/username/path_to_data/User permissions on /main_data_store/path_to_data/ must be set accordingly
- Generate wget retrieval script with user credentials and correct path
OUT_DIR=. DWUN=username DWPW=password wget -r -c -nH -P $OUT_DIR ftp://$DWUN:$DWPW@viking.cira.colostate.edu/path_to_data/
Per User (?)
- Delete user account and home directory
- Un-mount relevant directories in /home/user/
Fix-upSome changes have overridden the above
##The following section enables sftp-only access for users in the sftponly group Subsystem sftp internal-sftp Match Group sftponly ChrootDirectory /home/%u AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
It is necessary to give root ownership of /home/username and chmod 755 /home/username then create directories and mount.