Name: ansible-sftp
Owner: EMBL-EBI Technology & Science Integration
Description: SFTP server role for Ansible
Forked from: johanmeiring/ansible-sftp
Created: 2016-12-01 09:17:56.0
Updated: 2016-12-01 09:22:24.0
Pushed: 2016-12-01 15:55:06.0
Homepage: null
Size: 18
Language: Groff
GitHub Committers
| User | Most Recent Commit | # Commits |
|---|
Other Committers
| User | Most Recent Commit | # Commits |
|---|
An Ansible role which configures an OpenSSH server for chrooted SFTP access. The role is built in such a way that it will not unnecessarily alter a user's OpenSSH customisations. Instead, it simply changes the crucial bits that it needs to, and adds the rest of its configuration in the form of a custom config block (OpenSSH's lack of some form of conf.d/ support forces this behaviour).
It is advisable that scp_if_ssh be set to true in the ssh_connection section of your ansible.cfg file, seeing as how Ansible uses SFTP for file transfers by default, and you can easily lock yourself out of your server's SFTP by using this role. The SCP fallback will continue to work. Example config:
sible.cfg
_connection]
if_ssh=True
Other than that, only Ansible itself is required. Tested using Ansible 1.9, 2.0.2.0 and 2.1.0.0. Works on Ubuntu 14.04 and 16.04 as well as CentOS 7, untested on other versions.
The following role variables are relevant:
sftp_home_partition: The partition where SFTP users' home directories will be located. Defaults to “/home”.sftp_group_name: The name of the Unix group to which all SFTP users must belong. Defaults to “sftpusers”.sftp_directories: A list of directories that need to be created automatically for each SFTP user. Defaults to a blank list (i.e. “[]“).name and (optionally) mode key/value pairs.sftp_allow_passwords: Whether or not to allow password authentication for SFTP. Defaults to False.sftp_users: A list of users, in map form, containing the following elements:name: The Unix name of the user that requires SFTP access.password: A password hash for the user to login with. Blank passwords can be set with password: "". NOTE: It appears that UsePAM yes and PermitEmptyPassword yes need to be set in sshd_config in order for blank passwords to work properly. Making those changes currently falls outside the scope of this role and will need to be done externally.authorized: A list of files placed in files/ which contain valid public keys for the SFTP user.
me: test-playbook | Test sftp-server role
sts: all
come: yes
come_user: root
rs:
- sftp_users:
- name: peter
password: "$1$salty$li5TXAa2G6oxHTDkqx3Dz/" # passpass
authorized: []
- name: sally
password: ""
authorized: [sally.pub]
- sftp_directories:
- imports
- exports
- { name: public, mode: 755 }
- other
les:
- sftp-server
Licensed under the MIT License. See the LICENSE file for details.