SFTP server - users?

[enor...@gmail.com]

Hi all,

is there some setuid() setgid() in asyncssh + SFTPserver?

My goal is to run SFTP server, where users are not system user bud virtuals UID.

Then I have connected NFS with homedirs and I need to manage access to homedirs by UID

Thanks

Milan

[enor...@gmail.com]

Let's say I need to authorize user and after successful authorization set his UID/GID to the process.

Then SFTP subsystem should run under such UID/GID.

Some kind of fork() ?

Dne středa 6. ledna 2021 v 11:21:43 UTC+1 uživatel enor...@gmail.com napsal:

[Ron Frederick]

Allowing AsyncSSH’s SFTP server to authenticate against non-local-system users is no problem. You can do your own username/password validation that maps to any SSH username you like. You can also choose which private keys clients are allowed to do public key authentication with, if you choose to support that. it’s even possible to fill in uid/gid information when responding to SFTP requests to return file attributes. However, it would be up to custom SFTP server code you wrote to do any permissions enforcement for incoming SFTP requests. The operating system won’t do that for you — all files will be accessed using whatever UID/GID is set on the Python process which is running the asyncio event loop.

As for trying to add your own setups/setgid calls, keep in mind that with asyncio, all the coroutines are sharing a single OS-level process/thread, and these requests are being processed in parallel with one another. Any time you did a setuid/setgid, it would apply to ALL of the requests being processed at that moment. So, before every single OS call, you’d have to keep switching UIDs/GIDs if there was any operation which might have caused you to switch coroutines since the last time you did that. This would not be very efficient.

You definitely can’t fork() inside an asyncio event loop. The two programming models are fundamentally incompatible with one another.

-- 
Ron Frederick
ro...@timeheart.net

[enor...@gmail.com]

Is it possible to wrap SSHServer and SFTPserver to some wrapper which will accept connection, then fork process and start event loop on SSHServer.

Let's say I want to manage bind, listen on my own and let asyncssh to manage R/W operation on created r/w pipes. Like Xinetd does.

Dne čtvrtek 7. ledna 2021 v 8:01:06 UTC+1 uživatel Ron Frederick napsal:

[Ron Frederick]

Since the asyncio TCP listeners always process data from all connections the listener spawns in the same event loop, this would be difficult. You could accept the socket yourself and then fork(), create a fresh asyncio event loop, and then call loop.connect_accepted_socket() to convert the accepted socket to an asyncio transport for an SSHServerConnection, but it’s not really clear what benefit AsyncSSH is providing to you at that point. You’d probably be better off just using a standard SFTP server like the one in OpenSSH.

The alternative would be to let the files all be owned by the UID/GID which is running the Python asyncio event loop, but have your own implementation of open() which would do enforcement of permissions. If you really want the users to not be system users, you might need to do something like that, as you can’t do a setuid or setgid without the IDs you pass to them actually being real system users/groups. Even if you are mounting something off of a remote system with NFS, the UIDs and GIDs on that NFS server need to exist on the machine mounting the volume if you want proper permissions enforcement based on UID/GID.

One other thing that AsyncSSH supports is the ability to a chroot() based on the user, so they can only see a specific subtree of files. That way, even if the UID running the Python process is the same for everyone, each user connecting in via SFTP would only be able to see “their own” files. Would that work for you? If so, there’s an example of this at https://asyncssh.readthedocs.io/en/latest/#sftp-server. See the second example specifically there which sets the “chroot” argument in MySFTPServer.

--
Visit the AsyncSSH home page at http://asyncssh.timeheart.net
---
You received this message because you are subscribed to the Google Groups "asyncssh-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to asyncssh-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/asyncssh-users/4f426a03-5ae7-42a8-9158-e9312f7a9782n%40googlegroups.com.

-- 
Ron Frederick
ro...@timeheart.net

[enor...@gmail.com]

Thank you for explanation. My goal is to write sftp server for both linux and windows with some added features and manage files for different uids there. Anyway I will check connect_accepted_socket() just because I wonder how it works. I think also, that for linux OpenSSH sftp will be better choice.

Dne pátek 8. ledna 2021 v 5:10:26 UTC+1 uživatel Ron Frederick napsal: