VMware Cloud Foundation 5.2 – Configuring SFTP Server

Introduction

I have a fresh installation of VMware Cloud Foundation (VCF) 5.2 installed and want to configure the SFTP server. This server is used for SDDC Manager and NSX Manager. Luckily, in this version, SDDC Manager should be able to communicate with modern SFTP servers using ECDSA SSH public key encryption. I have a post regarding how to configure the security if using an older version of VCF.

The SFTP Server

The first thing we need to check (or configure) is the SFTP server itself. It is best practice to separate users and roles. This includes creating separate accounts known as service accounts. These accounts are user accounts but not intended for human interaction, therefore, we will create the group and user with the --system switch for both.

First we will create a group that will contain SFTP users.

sudo groupadd --system sftp-users

We will create a user account, adding to the sftp-users group, not create a home directory, and set as a system account. This does not allow an interactive login and there will not be a home directory.

sudo useradd --groups sftp-users --no-create-home --shell /bin/false --system sddc-manager-sftp-sa

Now we will add a password to the user account. Even though the user cannot log in interactively, the password is still required for SDDC Manager to make the connection.

sudo passwd sddc-manager-sftp-sa

We need a place to store the backup files, so we will create an sftp directory as well as an sddc-manager sub-directory.

sudo mkdir /var/sftp
sudo mkdir /var/sftp/sddc-manager

Change the group ownership to sftp-users.

sudo chown --recursive root:sftp-users /var/sftp/

Change the directory permissions to allow the group and everyone else read and execute. When we configure the SFTP server Match Group block, we will specify a ChrootDirectory. With this configuration, all components of the path name must be root owned and not writable by any other user or group.

sudo chmod 0755 /var/sftp/

The /var/sftp/sddc-manager directory does need to be writable.

sudo chmod 0775 /var/sftp/sddc-manager

To use a ChrootDirectory, we need to change the Subsystem in the main /etc/ssh/sshd_config file. Comment out the original Subsystem command and add a new line.

#Subsystem    sftp    /usr/lib/openssh/sftp-server
Subsystem    sftp    internal-sftp

Now we need to configure the SFTP Server to accept logins from our users in the sftp-users group. We will also only allow them to interact with the /var/sftp directory.

sudo vi /etc/ssh/sshd_config.d/10-sftp-server.conf
Match Group sftp-users
  ChrootDirectory /var/sftp
  AllowTcpForwarding no
  X11Forwarding

Restart sshd.service.

sudo systemctl restart ssh.service

SDDC Manager

Now that the SFTP Server is configured or the configuration is verified, we can configure the SDDC Manager.

After logging in to the SDDC Manager, select Backup from the Administration menu. If this is the first time configuring, select Site Settings. Complete the form with site specific settings.

One thing to note on the Backup Directory…on the SFTP server, the ChrootDirectory is /var/sftp/. This means that when the service account user logs into the SFTP server, that is the location you will be in the file system. Since we have a sub-directory for SDDC Manager, set the Backup Directory parameter to /sddc-manager.

After the Site Settings are verified or configured (is there a difference, really?) go back to the SDDC Manager Configurations page.

Select Backup Now and verify the backup completes. There will be tasks in the Tasks pane that will present a status.

When the Status shows Successful, you can verify files were written on the SFTP Server for an extra level of confidence.


You can configure a Backup Schedule to include Automatic Backups and Backup Frequency. Select the Edit text next to Backup Schedule.


Leave a Reply

Your email address will not be published. Required fields are marked *