patternkubernetesMinor
SFTP server with third party user management system?
Viewed 0 times
sftpthirdwithusersystempartymanagementserver
Problem
I understand how to set up SFTP servers on Linux and create users and their passwords manually.
So basically, the users get authenticated as normal Linux users get authenticated through
I am setting up the server on Google Kubernetes Engine. I see AWS provides SFTP as a service and I wanna achieve something similar on GCP.
Here is what AWS is doing:
AFAIK, everything (1,2 and 4) from the above image is in place except AWS IAM and Amazon Route S3 (point-3).
I have given AWS reference just as an example. I am looking for a way to use a third party to manage my SFTP users and credentials instead of normally using
There are tools available like okta, gsuite, Google Cloud Identity, etc. But I am not sure how to leverage them to manage users in an SFTP server.
So basically, the users get authenticated as normal Linux users get authenticated through
/etc/passwd. Is there any way to introduce a third party for the user and credentials management?I am setting up the server on Google Kubernetes Engine. I see AWS provides SFTP as a service and I wanna achieve something similar on GCP.
Here is what AWS is doing:
AFAIK, everything (1,2 and 4) from the above image is in place except AWS IAM and Amazon Route S3 (point-3).
I have given AWS reference just as an example. I am looking for a way to use a third party to manage my SFTP users and credentials instead of normally using
/etc/passwd.There are tools available like okta, gsuite, Google Cloud Identity, etc. But I am not sure how to leverage them to manage users in an SFTP server.
Solution
On a common linux instances the user are authenticated against
For example, when I install vsftpd, I can see a new file created under
And in
You can authenticate unix logins against MySQL if you want to https://github.com/NigelCunningham/pam-MySQL
So either you can use some kind of a standard sftp solution with a custom pam module like AWS Cognito https://gist.github.com/ergo70/ca776d1f49c464c07930d94c6e8b01aa
Or you can use a solution which includes another means of authentication. I don't say that it is the best solution, but you can try to install CrushFTP - there is a free limited version - just to see if this is the way you want to go.
/etc/passwd, because YOU SPECIFICALLY ASK for this behavior.For example, when I install vsftpd, I can see a new file created under
/etc/pam.dcat /etc/pam.d/vsftpd
# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth required pam_shells.soAnd in
common-auth you would find something likeauth [success=1 default=ignore] pam_unix.so nullok_secureman pam_unix:DESCRIPTION
This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the
/etc/shadow file as well if shadow is enabled.You can authenticate unix logins against MySQL if you want to https://github.com/NigelCunningham/pam-MySQL
So either you can use some kind of a standard sftp solution with a custom pam module like AWS Cognito https://gist.github.com/ergo70/ca776d1f49c464c07930d94c6e8b01aa
Or you can use a solution which includes another means of authentication. I don't say that it is the best solution, but you can try to install CrushFTP - there is a free limited version - just to see if this is the way you want to go.
Code Snippets
cat /etc/pam.d/vsftpd
# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth required pam_shells.soDESCRIPTION
This is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the
/etc/shadow file as well if shadow is enabled.Context
StackExchange DevOps Q#10877, answer score: 1
Revisions (0)
No revisions yet.