mirror of
https://github.com/tahoe-lafs/tahoe-lafs.git
synced 2025-01-31 16:36:20 +00:00
75 lines
3.1 KiB
Plaintext
75 lines
3.1 KiB
Plaintext
= Tahoe SFTP Frontend =
|
|
|
|
All Tahoe client nodes can run a frontend SFTP server, allowing regular SFTP
|
|
clients to access the virtual filesystem.
|
|
|
|
Since Tahoe does not use user accounts or passwords, the FTP server must be
|
|
configured with a way to translate a username (and either a password or
|
|
public key) into a root directory cap. Two mechanisms are provided. The first
|
|
is a simple flat file with one account per line. The second is an HTTP-based
|
|
login mechanism, backed by simple PHP script and a database. The latter form
|
|
is used by allmydata.com to provide secure access to customer rootcaps.
|
|
|
|
The SFTP server must also be given a public/private host keypair.
|
|
|
|
== Configuring a Keypair ==
|
|
|
|
First, generate a keypair for your server:
|
|
|
|
% cd BASEDIR
|
|
% ssh-keygen -f private/ssh_host_rsa_key
|
|
|
|
You will then use the following lines in the tahoe.cfg file:
|
|
|
|
[sftpd]
|
|
sftp.host_pubkey_file = private/ssh_host_rsa_key.pub
|
|
sftp.host_privkey_file = private/ssh_host_rsa_key
|
|
|
|
== Configuring an Account File ==
|
|
|
|
To configure the first form, create a file (probably in
|
|
BASEDIR/private/sftp.accounts) in which each non-comment/non-blank line is a
|
|
space-separated line of (USERNAME, PASSWORD/PUBKEY, ROOTCAP), like so:
|
|
|
|
[TODO: the PUBKEY form is not yet supported]
|
|
|
|
% cat BASEDIR/private/sftp.accounts
|
|
# This is a password file, (username, password/pubkey, rootcap)
|
|
alice password URI:DIR2:ioej8xmzrwilg772gzj4fhdg7a:wtiizszzz2rgmczv4wl6bqvbv33ag4kvbr6prz3u6w3geixa6m6a
|
|
bob sekrit URI:DIR2:6bdmeitystckbl9yqlw7g56f4e:serp5ioqxnh34mlbmzwvkp3odehsyrr7eytt5f64we3k9hhcrcja
|
|
carol ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv2xHRVBoXnwxHLzthRD1wOWtyZ08b8n9cMZfJ58CBdBwAYP2NVNXc0XjRvswm5hnnAO+jyWPVNpXJjm9XllzYhODSNtSN+TXuJlUjhzA/T+ZwdgsgSAeHuuMQBoWt4Qc9HV6rHCdAeMhcnyqm6Q0sRAsfA/wfwiIgbvE7+cWpFa2anB6WeAnvK8+dMN0nvnkPE7GNyf/WFR1Ffuh9ifKdRB6yDNp17bQAqA3OWSFjch6fGPhp94y4g2jmTHlEUTyVsilgGqvGOutOVYnmOMnFijugU1Vu33G39GGzXWla6+fXwTk/oiVPiCYD7A7WFKes3nqMg8iVN6a6sxujrhnHQ== warner@fluxx URI:DIR2:6bdmeitystckbl9yqlw7g56f4e:serp5ioqxnh34mlbmzwvkp3odehsyrr7eytt5f64we3k9hhcrcja
|
|
|
|
Note that if the second word of the line is "ssh-rsa" or "ssh-dss", the rest
|
|
of the line is parsed differently, so users cannot have a password equal to
|
|
either of these strings.
|
|
|
|
Then add the following lines to the BASEDIR/tahoe.cfg file:
|
|
|
|
[sftpd]
|
|
enabled = true
|
|
sftp.port = 8022
|
|
sftp.host_pubkey_file = private/ssh_host_rsa_key.pub
|
|
sftp.host_privkey_file = private/ssh_host_rsa_key
|
|
sftp.accounts.file = private/sftp.accounts
|
|
|
|
The SFTP server will listen on the given port number. The sftp.accounts.file
|
|
pathname will be interpreted relative to the node's BASEDIR.
|
|
|
|
== Configuring an Account Server ==
|
|
|
|
Determine the URL of the account server, say https://example.com/login . Then
|
|
add the following lines to BASEDIR/tahoe.cfg:
|
|
|
|
[sftpd]
|
|
enabled = true
|
|
sftp.port = 8022
|
|
sftp.host_pubkey_file = private/ssh_host_rsa_key.pub
|
|
sftp.host_privkey_file = private/ssh_host_rsa_key
|
|
sftp.accounts.url = https://example.com/login
|
|
|
|
== Dependencies ==
|
|
|
|
The Tahoe SFTP server requires the Twisted "Conch" component, which itself
|
|
requires the pycrypto package (note that pycrypto is distinct from the
|
|
pycryptopp that Tahoe uses).
|