John-Mark Gurney a0e97ef851 | 4 years ago | |
---|---|---|
ggatessh | 4 years ago | |
libssh2 | 4 years ago | |
shared | 4 years ago | |
tests | 4 years ago | |
tools | 4 years ago | |
.gitignore | 4 years ago | |
Makefile | 4 years ago | |
Makefile.inc | 4 years ago | |
README.md | 4 years ago |
This is a variant of ggatec which uses sftp instead of talking to ggated. This allows the server to be any machine that is running ssh+sftp w/o requiring you to compile ggated for that platform. It also allows for strong authentication and encryption that is not provided by ggatec/d combo, or even iSCSI, which despite having authentication, it requires IPsec for security, otherwise it is possible for an attacker to take over the TCP session.
This version of ggatessh also supports a new sftp-server command, punchhole, that is used to implement BIO_DELETE (aka TRIM) commands to help reduce disk space usage on the server. This command is only implemented in the sftp-server at jmg’s sftp-firewall branch of openssh-portable. That branch also implements a new command line option to restrict which files able to be opened by sftp-server, allowing for strong protection on the server site which files the key can access.
For example, using the sftp-firewall branch, you can use the following
in an authorized_keys
file to ensure that the private key can only
access one specific file:
restrict,command="/home/dir/git.repos/openssh-portable/sftp-server -a fstest/data.img -p open,close,read,write,fstat,fsync,punchhole" ssh-rsa AAAAB...5el ggatessh-test-key
If you are not using the custom compiled branch, just remove the -a
option and it’s argument, and punchhole from the permitted requests.
Bewarned that even though sftp w/ the key cannot list files w/ the
this configuration (in fact, standard sftp client will error out),
other sftp clients can open any file for reading or writing, including
creating new files, so unless you fully trust where the ssh key is
stored, it is highly recommended to run sftp-server from the
sftp-firewall branch.
ggatessh uses the libssh2 library with a few modifications. The build system will be updated to compile and use libssh2. There is at least one minor modification needed to turn off read-ahead for sftp support.
By default, libssh2 assumes that you’ll read a whole file sequentially in blocking mode, and if it does not do this, there will be pipeline stalls. In our case, this would result in lots of wasted bandwith as we will be seeking around the file to read and write, and so this feature needs to be disabled.
If you install the program, entr
, you can use the top level target,
devtest
to automatically compile, install, and run the tests whenever
a dependant file is modified. The libssh2 library will not be built,
and needs to be built manually.
If you need to debug libssh2, you first need to enable debugging in the
library and recompile. To do that, from the libssh2
directory, run:
./configure --enable-debug --disable-shared
make clean && make -j 4
ggatessh will enable a default set of tracing when verbose (-v
) is
enabled.