getfacl and setfacl for a working ssh connect

f2b95274 · Goik Martin · b8bedfe6 · f2b95274
Commit f2b95274 authored 7 years ago by Goik Martin
--- a/Doc/Sdi/gettingStarted.xml
+++ b/Doc/Sdi/gettingStarted.xml
@@ -17,6 +17,72 @@
    access to two virtual machines to mimic client provider and replication
    scenarios.</para>

+    <para>If you do not yet have a public/private <acronym>ssh</acronym> key
+    pair the <command>ssh-keygen</command> command is your friend. It allows
+    for generating a pair inside your <filename>~/.ssh</filename>
+    subdirectory. Working on a network drive your first problem may be
+    inappropriate file permissions of and inside your ~/.ssh directory:</para>
+
+    <screen>mistudent@w10m:~/.ssh$ pwd
+/stud/mistudent/.ssh
+mistudent@w10m:~/.ssh$ ls -al
+total 24
+drwxrwx---+  2 mistudent mi    0 Okt 17 17:45 .
+drwx------+ 32 mistudent mi    0 Okt 17 17:44 ..
+-rwxrwx---+  1 mistudent mi  396 Okt 17 17:45 authorized_keys
+-rwxrwx---+  1 mistudent mi 1675 Okt 17 17:38 id_rsa
+-rwxrwx---+  1 mistudent mi  396 Okt 17 17:38 id_rsa.pub</screen>
+
+    <para>The permissions of the directory itself and the files within are too
+    open . The <command>sshd</command> daemon process will deny remote access
+    due to possible security implications. Unfortunately the standard
+    <command>chmod</command> command from UNIX does not help on modern
+    <abbrev>cifs</abbrev> based network file systems using extended ACLs. We
+    may ask <command>getfacl</command> for details:</para>
+
+    <screen>mistudent@w10m:~/.ssh$ getfacl  authorized_keys 
+# file: authorized_keys
+# owner: mistudent
+# group: mi
+user::rwx
+user:mistudent:rwx
+group::---
+group:users:---
+mask::rwx
+other::---</screen>
+
+    <para>The counterpart <command>setfacl</command> allows for revoking
+    permissions <abbrev>e.g.</abbrev> on
+    <filename>authorized_keys</filename>:</para>
+
+    <screen>mistudent@w10m:~/.ssh$ setfacl -m user:mistudent:--- authorized_keys
+mistudent@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
+mistudent@w10m:~/.ssh$ getfacl authorized_keys 
+# file: authorized_keys
+# owner: mistudent
+# group: mi
+user::rw-
+user:mistudent:---
+group::---
+group:users:---
+mask::---
+other::---
+
+mistudent@w10m:~/ssh$ ls -al authorized_keys 
+-rw-------+ 1 mistudent mi 396 Okt 17 17:45 authorized_keys</screen>
+
+    <para>Addressing each file and the directory itself in a similar fashion
+    leads to:</para>
+
+    <screen>mistudent@w10m:~/.ssh$ ls -al
+total 32
+drwx------+  2 mistudent mi    0 Okt 17 17:44 .
+drwx------+ 32 mistudent mi    0 Okt 17 17:44 ..
+-rw-------+  1 mistudent mi 1132 Okt 17 17:40 authorized_keys
+-rw-------+  1 mistudent mi 1679 Okt 11 14:46 id_rsa
+-rw-r--r--+  1 mistudent mi  396 Okt 11 14:46 id_rsa.pub
+-rw-------+  1 mistudent mi  442 Okt 11 14:49 known_hosts</screen>
+
    <para>Access to these virtual machines is initially being controlled by
    password. A client will allow you to connect:</para>