On Mon, Feb 4, 2008 at 10:19 PM, <glyph@divmod.com> wrote:

I'd like to provide file-server access on my home network to a machine which hosts a variety of media, without exposing its entire filesystem. OpenSSH's sftp-server doesn't allow this, so of course I thought, I should use conch.

Completely replacing OpenSSH with Conch is inconvenient, however, and it is my only means to administer these machines, so both for the sake of easy packaging and making sure I don't make a mistake, I'd really like to keep the main SSH daemon in place but replace the sftp channel.

I *think* that means I'd need to do something with sshd_config, twisted.conch.ssh.filetransfer, and twisted.internet.stdio. However, I'm a bit at a loss what that thing would be.

On the OpenSSH side, you'll want to change the 'Subsystem sftp /usr/lib/openssh/sftp-server' line in /etc/ssh/sshd_config (on Debian/Ubuntu) to some script that you write. On the Twisted side, you'll want to connect twisted.conch.ssh.filetransfer.FileTransferServer to twisted.internet.stdio.StandardIO. You'll have to create your own avatar based on the current user and pass that to the constructor.

Can someone with stronger conch-fu than I give a brief description of how this could be done? Ideally, I'd like some users (myself) to be able to access the entire filesystem, but others (the "storage" user, who has no shell) to only be able to access /public. Finally I'd like the "guest" user to be able to access /public, but read-only, and /public/drop-box read-write. I don't mind setting up UNIX permissions to enforce that last bit.

You'll probably want to hack up twisted.conch.unix.SFTPServerForUnixConchUser to do that. It's an adapter for whatever the avatar passed to FileTransferServer is to ISFTPServer, and FileTransferServer calls the methods on that to implement the actual file mechanics. hth, -p -- Paul Swartz paulswartz at gmail dot com http://z3p.jot.com/ AIM: z3penguin

On Mon, Feb 4, 2008 at 10:19 PM, <glyph@divmod.com> wrote:

I'd like to provide file-server access on my home network to a machine which hosts a variety of media, without exposing its entire filesystem. OpenSSH's sftp-server doesn't allow this, so of course I thought, I should use conch.

Completely replacing OpenSSH with Conch is inconvenient, however, and it is my only means to administer these machines, so both for the sake of easy packaging and making sure I don't make a mistake, I'd really like to keep the main SSH daemon in place but replace the sftp channel.

I *think* that means I'd need to do something with sshd_config, twisted.conch.ssh.filetransfer, and twisted.internet.stdio. However, I'm a bit at a loss what that thing would be.

On the OpenSSH side, you'll want to change the 'Subsystem sftp /usr/lib/openssh/sftp-server' line in /etc/ssh/sshd_config (on Debian/Ubuntu) to some script that you write. On the Twisted side, you'll want to connect twisted.conch.ssh.filetransfer.FileTransferServer to twisted.internet.stdio.StandardIO. You'll have to create your own avatar based on the current user and pass that to the constructor.

Can someone with stronger conch-fu than I give a brief description of how this could be done? Ideally, I'd like some users (myself) to be able to access the entire filesystem, but others (the "storage" user, who has no shell) to only be able to access /public. Finally I'd like the "guest" user to be able to access /public, but read-only, and /public/drop-box read-write. I don't mind setting up UNIX permissions to enforce that last bit.

You'll probably want to hack up twisted.conch.unix.SFTPServerForUnixConchUser to do that. It's an adapter for whatever the avatar passed to FileTransferServer is to ISFTPServer, and FileTransferServer calls the methods on that to implement the actual file mechanics. hth, -p -- Paul Swartz paulswartz at gmail dot com http://z3p.jot.com/ AIM: z3penguin