Local EGA Inbox¶
We use the OpenSSH SFTP server (version 7.8p5), on a Linux distribution (currently CentOS7).
Authentication is performed by the Operating System, using the classic plugable mechanism (PAM), and username resolution module (called NSS).
The user’s home directory is created when its credentials are
retrieved from CentralEGA. Moreover, we isolate each user in its
respective home directory (i.e. we chroot
the user into it).
We installed hooks inside the OpenSSH SFTP server to detect when a file is (re)uploaded, renamed or removed, in which case, a notification is sent to CentralEGA via a shovel mechanism on the local message broker. In the case of a file upload, the notification also contains extra file information, such as a SHA256 checksum, its size and a timestamp for when it was last modified.
We created the SSH deamon /opt/openssh/sbin/ega-sshd
binary and
configured the *ega-sshd* service to use PAM.
The ega-sshd service is configured using the -c
switch to
specify where the configuration file is. The service runs for the
moment on port 9000.
Note that when PAM is configured as above, and a user is either not found, or its authentication fails, the access to the service is denied. No other user (not even root), other than Central EGA users, have access to that service. We force sftp connections and even disallow ssh connections on that port.