proftpd: Allow user auth with ssh keys

2022-09-13 16:29:59 +02:00 · 2022-09-13 16:29:59 +02:00 · 9631476a06
parent 7c4a169fb8
commit 9631476a06
5 changed files with 38 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * inspect-domains: Add role
 * memcached: NRPE check for multi-instance setup
 * proftpd: Add options to override configs
+* proftpd: Allow user auth with ssh keys

 ### Changed

--- a/proftpd/defaults/main.yml
+++ b/proftpd/defaults/main.yml
@ -12,6 +12,7 @@ proftpd_ftps_cert: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 proftpd_ftps_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
 proftpd_sftp_enable: False
 proftpd_sftp_override: False
+proftpd_sftp_use_publickeys: False
 proftpd_sftp_port: 22222
 proftpd_accounts: []
 proftpd_accounts_final: []
--- a/proftpd/tasks/accounts.yml
+++ b/proftpd/tasks/accounts.yml
@ -60,3 +60,18 @@
  when: proftpd_sftp_enable | bool
  tags:
    - proftpd
+
+- name: Allow keys for SFTP account
+  blockinfile:
+    dest: "/etc/proftpd/sftp.authorized_keys/{{ item.name }}"
+    state: present
+    block: "{{ item.sshkeys }}"
+    create: yes
+    mode: 0600
+  loop: "{{ proftpd_accounts_final }}"
+  notify: restart proftpd
+  when: 
+    - proftpd_sftp_enable | bool
+    - proftpd_sftp_use_publickeys | bool
+  tags:
+    - proftpd
--- a/proftpd/tasks/main.yml
+++ b/proftpd/tasks/main.yml
@ -48,6 +48,20 @@
  tags:
    - proftpd

+- name: SFTP key folder exists if needed
+  file:
+    path: /etc/proftpd/sftp.authorized_keys/
+    state: directory
+    mode: "0700"
+    owner: root
+    group: root
+  notify: restart proftpd
+  when: 
+    - proftpd_sftp_enable | bool
+    - proftpd_sftp_use_publickeys | bool
+  tags:
+    - proftpd
+
 - name: mod_tls_memcache is disabled
  replace:
    dest: /etc/proftpd/modules.conf
--- a/proftpd/templates/sftp.conf.j2
+++ b/proftpd/templates/sftp.conf.j2
@ -13,8 +13,14 @@
    
    SFTPLog      /var/log/proftpd/sftp.log
    TransferLog  /var/log/proftpd/xferlog
-    
+
+{% if proftpd_sftp_use_publickeys %}
+    SFTPAuthMethods publickey password
+    SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.authorized_keys/%u
+{% else %}
    SFTPAuthMethods password
+{% endif %}
+
    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
    SFTPHostKey /etc/ssh/ssh_host_rsa_key