{"id":1006,"date":"2016-12-21T17:27:01","date_gmt":"2016-12-21T23:27:01","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=1006"},"modified":"2016-12-21T17:27:59","modified_gmt":"2016-12-21T23:27:59","slug":"solaris-sftp-containment-multiple-nodes","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/solaris-sftp-containment-multiple-nodes\/","title":{"rendered":"Solaris SFTP Containment Multiple Nodes"},"content":{"rendered":"<p>Previous post explaining SFTP containment: http:\/\/blog.ls-al.com\/sftp-containment-solaris-10\/<\/p>\n<p>That solution does not work in a clustered environment. Since then I did also play with loop back (LOFS in Solaris) mounts to a NFS folder. That also works but it had issues being in the vfstab at boot time.<\/p>\n<p><strong>Below is my final solution:<\/strong><br \/>\n- Since i am trying to avoid number of mounts I also used autofs in this case.<br \/>\n- Create a NFS share INTERFACES so we can share across multiple nodes.<br \/>\n- In order to not add more mounts I did this with autofs. If that does not work on bootup we can can just make a permanent \/etc\/vfstab mount.<br \/>\n- In our case the application use the following logical path so we need a soft link to our containment area. Soft link svcaccxfr -&gt; \/opt\/interfaces\/svcaccxfr\/ in application tree.<\/p>\n<p><strong>Make direct automount<\/strong><br \/>\n# grep direct \/etc\/auto_master<br \/>\n\/- auto_direct -ro<br \/>\n# cat \/etc\/auto_direct<br \/>\n\/opt\/interfaces -rw,vers=3 10.2.13.35:\/export\/INTERFACES<\/p>\n<p># svcadm refresh autofs<br \/>\n# svcadm restart autofs<\/p>\n<p><strong>Ensure match in sshd correct folder<\/strong><br \/>\n# tail -10 \/etc\/ssh\/sshd_config<br \/>\nMatch User svcxfr<br \/>\nChrootDirectory \/opt\/interfaces\/svcxfr<br \/>\nAllowTCPForwarding no<br \/>\nX11Forwarding no<br \/>\nForceCommand internal-sftp -u 017 -l info<\/p>\n<p><strong>Folders and permissions<\/strong><br \/>\n# cd \/opt<br \/>\n# ls -l | grep interfaces<br \/>\ndrwxr-xr-x 3 root root 3 Dec 21 14:12 interfaces<br \/>\n# cd interfaces\/<br \/>\n# ls -l | grep svcxfr<br \/>\ndrwxr-xr-x 3 root root 3 Dec 21 14:13 svcxfr<br \/>\n# ls -l | grep svcxfr\/uploads<br \/>\n# cd svcxfr\/<br \/>\n# ls -l | grep uploads<br \/>\ndrwxrwxr-x 2 ebsppe_a ebsppe 3 Dec 21 14:50 uploads<\/p>\n<p><strong>Check soft link<\/strong><br \/>\n# cd \/apps\/ebs11i\/appltop\/xxnp\/11.5.0\/interfaces<br \/>\n# ls -l | grep interfaces<br \/>\nlrwxrwxrwx 1 root root 26 Dec 21 14:14 svcxfr -&gt; \/opt\/interfaces\/svcxfr\/<\/p>\n<p><strong>Test client<\/strong><br \/>\n$ sftp svcxfr@server1<br \/>\nPassword:<br \/>\nConnected to server1.<br \/>\nsftp&gt; dir<br \/>\nuploads<br \/>\nsftp&gt; cd uploads<br \/>\nsftp&gt; put zfsrest_test1.py<br \/>\nUploading zfsrest_test1.py to \/uploads\/zfsrest_test1.py<br \/>\nzfsrest_test1.py 100% 1934 1.9KB\/s 00:00<br \/>\nsftp&gt; exit<\/p>\n<p><strong>Can check sftp issues here.<\/strong><\/p>\n<p>For example sftp containment does not work if root does not own top levels.<br \/>\n# tail -f \/var\/log\/authlog<br \/>\nDec 21 14:49:48 server1\u00a0sshd[12790]: [ID 800047 auth.info] Accepted keyboard-interactive for svcxfr from 192.168.38.104 port 39788 ssh2<br \/>\nDec 21 14:49:49 server1\u00a0sshd[12790]: [ID 800047 auth.info] subsystem request for sftp<br \/>\nDec 21 14:50:04 server1\u00a0sshd[12790]: [ID 800047 auth.info] Received disconnect from 192.168.38.104: 11: disconnected by user<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Previous post explaining SFTP containment: http:\/\/blog.ls-al.com\/sftp-containment-solaris-10\/ That solution does not work in a clustered environment. Since then I did also<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,21],"tags":[],"class_list":["post-1006","post","type-post","status-publish","format-standard","hentry","category-solaris","category-ssh"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1006"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1006\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}