Local EGA Inbox

We use the OpenSSH SFTP server (version 7.8p5), on a Linux distribution (currently CentOS7).

Authentication is performed by the Operating System, using the classic plugable mechanism (PAM), and username resolution module (called NSS).

The user’s home directory is created when its credentials are retrieved from CentralEGA. Moreover, we isolate each user in its respective home directory (i.e. we chroot the user into it).

We installed hooks inside the OpenSSH SFTP server to detect when a file is (re)uploaded, renamed or removed, in which case, a notification is sent to CentralEGA via a shovel mechanism on the local message broker. In the case of a file upload, the notification also contains extra file information, such as a SHA256 checksum, its size and a timestamp for when it was last modified.

We created the SSH deamon /opt/openssh/sbin/ega-sshd binary and configured the *ega-sshd* service to use PAM.

The ega-sshd service is configured using the -c switch to specify where the configuration file is. The service runs for the moment on port 9000.

Note that when PAM is configured as above, and a user is either not found, or its authentication fails, the access to the service is denied. No other user (not even root), other than Central EGA users, have access to that service. We force sftp connections and even disallow ssh connections on that port.


Version 1.0 | Generated January 24, 2020