Configuring an SFTP server with OpenSSH on a raidz
After seeing how to configure an SFTP server with OpenSSH, let's try to go a little further this time by setting up an SFTP server (still with OpenSSH) based on a raidz (ZFS raid).
It's basically the same thing as the other tutorial on the subject, except here we also need to manage the raidz and datasets.
To do this, we continue with OmniOS, even though the configuration is almost identical on OpenIndiana.
In order, we will:
1) Configure the same type of SFTP server with OpenSSH as in the previous tutorial, with one group allowing connection and another denying it, chrooting users to their home directory.
2) Create an encrypted ZFS storage pool with disk mounting in raidz3 (the most expensive of all... everyone will adjust!)
3) Create a dataset (also encrypted) on the pool for each user, applying lz4 data compression.
4) Create specific users for our SFTP server, directly chrooted into their respective dataset.
5) Apply the necessary permissions.
6) See what happens when the server is restarted.
The choice of raidz3 is intentional (even though it is very rarely used due to its cost), everyone will adjust the command to their needs:
Apart from specifying the number of disks and the raidz level in the command, everything else is identical.
Switch to root for the entire configuration
1) Configure the OpenSSH server:
Create groups allowing and denying user connection.
groupadd sftpexgroupadd nosftpModification of the file /etc/ssh/sshd_config
vi /etc/ssh/sshd_config( Install nano if you are not familiar with vi : pkg install nano )
scroll down in the file and apply the modifications as follows:
# no default banner path
Banner none
# override default of no subsystems
Subsystem sftp internal-sftp
Match Group nosftp
ForceCommand /usr/bin/false
Match Group sftpex
ChrootDirectory /SFTP/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding noRestart ssh
svcadm restart svc:/network/ssh:default2) Pool on raidz
As a reminder, there are 3 levels of ZFS RAID.
raidz1 (equivalent to RAID 5) requires a minimum of 3 disks. It tolerates the failure of one disk out of 3.
raidz2 (equivalent to RAID 6) requires a minimum of 4 disks. It tolerates the failure of 2 disks out of 4.
raidz3 (equivalent to RAID 7) requires a minimum of 5 disks. It tolerates the failure of 3 disks out of 5.
Additionally, there's an equivalent of RAID mirroring in ZFS, called 'mirror', often used to provide redundancy for raidz arrays.
Connect the disks if they are not already connected.
Identify them in the system.
echo | formator
iostat -En(For example, we will take the following disks: c2t0d0, c3t0d0, c4t0d0, c5t0d0, c6t0d0)
Create the encrypted raidz3 pool. We will name it 'SFTP' for the example.
zpool create -O encryption=on -O keyformat=passphrase SFTP raidz3 c2t0d0 c3t0d0 c4t0d0 c5t0d0 c6t0d0(The command will prompt you to enter a passphrase for pool encryption. Make sure to note it down.)
The created pool will be automatically mounted at /SFTP.
The following commands can be used to check the pool status :
zpool status SFTPzpool status -x3) Create the encrypted and compressed dataset for each user.
To ensure that each user is chrooted into their dataset using our OpenSSH configuration, we will name the datasets the same as the users we will create later on.
For now, let's create the first dataset and assign it to the future user 'marcel'.
We will encrypt and compress the dataset using lz4.
Many options exist in ZFS for datasets to be adjusted according to the needs.
zfs create -o encryption=on -o keyformat=passphrase -o compression=lz4 SFTP/marcel(The command will prompt you to enter a passphrase for dataset encryption. Make sure to note it down.)
This double encryption provides better granularity.
4) Create the SFTP user
We have chosen 'marcel'. It's time to create him, add him to the connection group, and match his home directory with the dataset intended for him.
useradd -G sftpex -s /bin/false -d /SFTP/marcel marcelpasswd utilisateur(Choose a login password for the user)
5) Permissions
Create the data directory inside the user's dataset, where the user will have full permissions:
mkdir /SFTP/marcel/DATAchown marcel:sftpex /SFTP/marcel/DATAchmod 700 /SFTP/marcel/DATATest 'marcel's connection to his SFTP directory.
6) What to do in case of server reboot?
For whatever reason, the server needs to be restarted.
During the reboot, the ZFS SFTP pool will be automatically remounted... but not the datasets!
/SFTP will be empty.
Unless configured to automatically remount the datasets, it will need to be done manually.
Here's how:
Load the passphrase for the dataset to be remounted:
zfs load-key SFTP/marcel(You will be asked to re-enter the passphrase used during the dataset creation)
Remount the dataset:
zfs mount SFTP/marcelNow /SFTP/marcel is available again.