Skip to content

Latest commit

 

History

History
315 lines (194 loc) · 8.22 KB

REFERENCE.md

File metadata and controls

315 lines (194 loc) · 8.22 KB
Raw

Reference

Table of Contents

Classes

Defined types

Data types

Classes

sftp_jail

Manage SFTP Jails

Parameters

The following parameters are available in the sftp_jail class:

jails

Data type: Hash[String[1],Hash]

Jails to create. See sftp_jail::jail for more details.

Default value: {}

users

Data type: Hash[String[1],Hash]

Users to create. See sftp_jail::user for more details.

Default value: {}

chroot_base

Data type: Stdlib::Absolutepath

All jails are located in this directory.

Default value: '/chroot'

sub_dirs

Data type: Sftp_jail::Sub_dirs

A list of default subdirectories to ensure in every SFTP users home. Having a default list of subdirectories is especially usefull, when a lot of users need to have the exact same directory structure in there home. This list can be overwritten or extended for each user seperatly. see: sftp_jail::merge_subdirs

Default value: []

merge_subdirs

Data type: Boolean

Merge each users list of subdirectories (sftp_jail::user::sub_dirs) with the default list of subdirectories (sftp_jail::sub_dirs)?

Default value: false

password_authentication

Data type: Enum['yes', 'no']

Default Password Authentication setting for SFTP jails. This will only impact SFTP users which are put in a chroot jail by this module.

Default value: 'no'

Defined types

sftp_jail::jail

A jail can have one or multiple users. With multiple users, they can share some date via the /incomming directory.

Examples

Single user
# The `sftp_jail::jail` resource creates a jail with a single home directory
# and an `incoming` directory. `incoming` is owned by the user and group
# provided when declaring the resource:
sftp_jail::jail { 'myjail':
  user  => 'bbriggs',
  group => 'bbriggs',
}
Shared jail
# Sometimes, more than one user will need to access the same jail, but with
# different permissions. For instance, one may need read-write access while
# another is limited to read-only. In such a case, first create the jail with
# your write user and set up a match_group that redirects users. Again, the
# users and groups must already exist.
sftp_jail::jail { 'shared_jail':
  user        => 'writeuser',
  group       => 'writegroup',
  match_group => 'sftpusers',
}
# Now add a user to your jail.
sftp_jail::user { 'readuser':
  jail => '/chroot/shared_jail',
}
# To share write access to `/incoming`, set the `group` parameter of
# `sftp_jail::jail` to a group that is common to both users, such as the
# `sftpusers` group that you might use to redirect users into a jail.

Parameters

The following parameters are available in the sftp_jail::jail defined type:

jail_name

Data type: Sftp_jail::File_name

The jails name.

Default value: $name

user

Data type: Sftp_jail::User_name

The user that will own the corresponding home directory in the jail, giving the user a place to land. Also sets user ownership for /incoming.

Default value: $name

group

Data type: Sftp_jail::User_name

The group that will own the corresponding home directory in the jail, giving the user a place to land. Also sets group ownership for /incoming.

Default value: $user

sub_dirs

Data type: Sftp_jail::Sub_dirs

This directory structure is enforced in the users Home.

Default value: $sftp_jail::sub_dirs

merge_subdirs

Data type: Boolean

Merge sub_dirs with the default sub_dirs?

Default value: $sftp_jail::merge_subdirs

match_group

Data type: Sftp_jail::User_name

Set the group that SSHd will look for when redirecting users to the jail. Useful for shared jails. Defaults to the value of group.

Default value: $group

password_authentication

Data type: Enum['yes', 'no']

Can the user login with a password? Public key authentication is generally recommended and has to be configured outside of the scope of this module.

Default value: $sftp_jail::password_authentication

sftp_jail::user

Used for shared jails to allow multiple users to write, or to allow one user to write and others to read-only.

Examples

Add user to the jail myjail
sftp_jail::user {'bob':
  jail => '/chroot/myjail',
}
Add user to the jail myjail and assign permissions
sftp_jail::user{'bob':
  group => 'myjail_write',
  jail  => '/chroot/myjail',
}

Parameters

The following parameters are available in the sftp_jail::user defined type:

jail

Data type: Stdlib::Absolutepath

The path of the jail's base directory, such as /chroot/myjail. Do not include a trailing slash.

user

Data type: Sftp_jail::User_name

The username that will own the corresponding home directory in the jail, giving the user a place to land.

Default value: $name

group

Data type: Sftp_jail::User_name

The group that will own the corresponding home directory in the jail.

Default value: $user

sub_dirs

Data type: Sftp_jail::Sub_dirs

This directory structure is enforced in the users Home.

Default value: $sftp_jail::sub_dirs

merge_subdirs

Data type: Boolean

Merge sub_dirs with the default sub_dirs?

Default value: $sftp_jail::merge_subdirs

Data types

Sftp_jail::File_name

The name of a file. Not a full path!

Alias of Pattern[/\A[^\/\0]+\z/]

Sftp_jail::Sub_dirs

A list of subdirectories

Examples

A valid subdirectory
As!8df/[1qwEr/zXcv0'

Alias of Array[Pattern[/\A([^\/\0]+\/*)*\z/]]

Sftp_jail::User_name

From useradd(8): It is usually recommended to only use usernames that begin with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. Usernames may only be up to 32 characters long.

Many installations also allow capitals or periods, for example to separate first and last names.

Alias of Pattern[/\A[a-zA-Z_]([a-zA-Z.0-9_-]{0,30}[a-zA-Z0-9_$-])?\z/]