jmg
/
ggate
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
Browse Source

add more info on how to use ggatessh... 

talk about libssh2 modifications and sftp-firewall for sftp-server...

Also document how to enable debugging for libssh2 for tracking things
down...
remotes/client/ssh-main
John-Mark Gurney 3 years ago
parent
3711c67c08
commit
129cdb5ee6
1 changed files with 51 additions and 7 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +51
    -7
      README.md

+ 51
- 7
README.md View File

@@ -1,13 +1,45 @@
ggatessh working tree
=====================
ggatessh
========

This is a working tree for ggate work.
This is a variant of ggatec which uses sftp instead of talking to ggated.
This allows the server to be any machine that is running ssh+sftp w/o
requiring you to compile ggated for that platform. It also allows for
strong authentication and encryption that is not provided by ggatec/d
combo, or even iSCSI, which despite having authentication, it requires
IPsec for security, otherwise it is possible for an attacker to take
over the TCP session.

This is a variant of ggatec using sftp instead of talking to ggated.
This version of ggatessh also supports a new sftp-server command,
punchhole, that is used to implement BIO_DELETE (aka TRIM) commands
to help reduce disk space usage on the server. This command is only
implemented in the sftp-server at jmg's [sftp-firewall branch](https://www.funkthat.com/gitea/jmg/openssh-portable/src/branch/sftp-firewall)
of openssh-portable. That branch also implements a new command line
option to restrict which files able to be opened by sftp-server,
allowing for strong protection on the server site which files the
key can access.

It uses the libssh2 library with a few modifications. The build system
will be updated to compile and use libssh2. There is at least one minor
modification needed to turn off read-ahead for sftp support.
For example, using the sftp-firewall branch, you can use the following
in an `authorized_keys` file to ensure that the private key can only
access one specific file:
```
restrict,command="/home/dir/git.repos/openssh-portable/sftp-server -a fstest/data.img -p open,close,read,write,fstat,fsync,punchhole" ssh-rsa AAAAB...5el ggatessh-test-key
```

If you are not using the custom compiled branch, just remove the `-a`
option and it's argument, and punchhole from the permitted requests.
Bewarned that even though sftp w/ the key cannot list files w/ the
this configuration (in fact, standard sftp client will error out),
other sftp clients can open any file for reading or writing, including
creating new files, so unless you fully trust where the ssh key is
stored, it is highly recommended to run sftp-server from the
sftp-firewall branch.

libssh2
-------

ggatessh uses the libssh2 library with a few modifications. The build
system will be updated to compile and use libssh2. There is at least one
minor modification needed to turn off read-ahead for sftp support.

By default, libssh2 assumes that you'll read a whole file sequentially
in blocking mode, and if it does not do this, there will be pipeline
@@ -22,3 +54,15 @@ If you install the program, `entr`, you can use the top level target,
`devtest` to automatically compile, install, and run the tests whenever
a dependant file is modified. The libssh2 library will not be built,
and needs to be built manually.

### Debugging

If you need to debug libssh2, you first need to enable debugging in the
library and recompile. To do that, from the `libssh2` directory, run:
```
./configure --enable-debug --disable-shared
make clean && make -j 4
```

ggatessh will enable a default set of tracing when verbose (`-v`) is
enabled.

Write Preview
Loading…
Cancel
Save