Monday, 27 February 2012

Limiting Access with SFTP Jails on Ubuntu

This post is based on this article with it's comments.

In the /etc/ssh/sshd_config file edit the Subsystem like this:
Subsystem sftp internal-sftp
Add these to the end of the file:
Match group filetransfer
  ChrootDirectory %h
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
Finally restart the OpenSSH server:
service ssh restart
Create the group for sftp access:
addgroup filetransfer
If you add this group to existing users, then they will be prevented to login via remote shell, though still be available through su.
usermod -G filetransfer username
chown root:root /home/username
chmod 755 /home/username
Now users cannot create anything in their jail, but it can be tuned with the last command. Though I personally use this technique to jail those users that are able to manage their own websites' content through sftp. I add those web directories through mount's bind option as the normal symlinks won't work. You can either add bindings via the /etc/fstab like this:
/existing/dir /dir/pointing/to/existing/one auto bind 0 0
or via the command line:
mount -o bind /existing/dir /dir/pointing/to/existing/one

Friday, 24 February 2012

Convert virtual machine disks VDI to VMDK

I recently wished to migrate my dev vm from VirtualBox To VMware. So the only thing I needed is to convert the VDI virtual disk into VMware's VMDK format as VirtualBox can read several disk types but VMware needs it's own child.
So as long as VirtualBox is still installed, I could use this simple command:
vboxmanage clonehd old_virtualbox_disk.vdi new_vmware_disk.vmdk –format VMDK –variant standard
Obviously, you have to find the vboxmanage executable yourself on your system. This command is crossplatform. :)

Sync MAC address of virtual machine

When I use VirtualBox or VMware I sometimes have to change the network adapters of the virtual quests and there comes the problem in case of my Ubuntu VMs that their ethX adapter's expected MAC address differs from the one they get from the host. Here is that single config file that you have to sync to contain the new address:

/etc/udev/rules.d/70-persistent-net.rules
The setting containing MAC address in the interface's line is:

ATTR{address}==""
 After reboot everything is ok :)