Single sign on for SFTP that does not include root user

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
LANLocked
Posts: 4
Joined: 2005/04/04 15:15:13

Single sign on for SFTP that does not include root user

Post by LANLocked » 2006/12/08 19:22:17

I have a network of many sites hosted on many machines to which I have site designers that need access to upload/download files. In the past a single non-root user account was used by all of the designers to do all of their uploading/downloading to the web servers (using sftp via filezilla). It has been decided by myself that the current system allows for many mistakes to be made unaccounted for (ie. I am tired of restoring deleted documents from backup and would like to keep track of who deleted/uploaded what/when).

As a solution I have created openssh rpms with the sftp-logging patch (http://sftplogging.sourceforge.net/) so that there will be an ftp style log trail. I also plan to create separate unique user accounts for all of the designers. The problem that I run into is password management. Maintaining one user/pass combo across many machines is trivial however keeping up with many user/pass combos across many machines is (much) more difficult.

Thus my question is this. Is it possible to set up a single login server for certain user accounts via either LDAP, NSS/NIS, Samba, etc.. so that I can create a unique user account for each designer that could be maintained in one location? The caveat is that I want to maintain unique root passwords for all of these machines as they are facing the internet -- yes I have SSH restricted to certain blocks of IP addresses, however I am somewhat paranoid and do not want any single point of entry to the entire network. Part of this upgrade will be to disallow root logins via ssh as well, however I still would like to maintain unique root passwords for each machine if it is possible.

I apologize in advance for the long post. If this is not the correct area for this post please point me in the right direction.

Thank you in advance.

rapo1
Posts: 27
Joined: 2006/06/20 11:43:02
Location: Munich

Re: Single sign on for SFTP that does not include root user

Post by rapo1 » 2006/12/13 12:58:55

Hi LANLocked

even if I don´t exactly know where your problem is, it seems to me that the use of the s-bit (sticky-bit) could help you.
The use of the s-bit (as an attribute for read/write/execute-permissions) for a folders only allows the owner of a file to delete it. But any user who has access to this folder has the 777-permission.

Maybe that will help you.

LANLocked
Posts: 4
Joined: 2005/04/04 15:15:13

Re: Single sign on for SFTP that does not include root user

Post by LANLocked » 2006/12/19 17:38:39

Thank you Rapo1 for the suggestion. I am going to research this, but I really would like to have a log-trail of who/when/what. This would allow me to isolate "problematic" designers. :)

Post Reply

Return to “CentOS 4 - Server Support”