Setup a File Paste Service

Summary: Setup a service which allows you to upload a file and get a link to share it with others.

Created on: September 16, 2024

-----

The setup described in this post aims to provide a similar service to clbin. However, it allows only authenticated users to upload files. This is achieved by using SSH and not HTTP/HTTPS as the transfer protocol.

This guide explains how to use SSH keys; however, passwords are also possible. Keys are just a more secure and convenient way to handle authentication.

Create SSH keys or use existing ones.
Copy the public key to the server

Client

On the client, the connection can be configured using SSH_CONFIG(5) or via command line flags.In my opinion SSH_CONFIG(5) is more convenient. An example configuration is shown below:

Host <nick name>
	HostName <hostname or IP address>
	Port 22
    IdentitiesOnly yes
    IdentityFile ~/.ssh/private_key

Furthermore, we need a script that implements the logic to upload the file. This script pipes an input into a specified file on the server. It is also possible to randomly generate the names. Either way, checking if a file already exists might be beneficial before uploading it. A simple script to upload a file can look like the following:

#!/bin/sh
USER="<user name>"
SERVER_NAME="<server nick name>"
REMPTE_PATH="<remote path>"
REMOTE_HTTP_ADDRESS="https://<remote server>"

if [ $# -ne 1 ]; then
    echo "ERROR: The name for the file created on the server is required."
    exit 1
fi

ssh ${USER}@${SERVER_NAME} "cat > ${REMPTE_PATH}/$1"
echo "${REMOTE_HTTP_ADDRESS}/$1"

For example, to send a local file, the command can be something like this:
cat local_file | upload_script remote_file.

Server

On the server side, a user needs to be configured, and the public key of the SSH key pair needs to be copied to ~/.ssh/autorized_keys in the user’s home directory.

Additional configurations for OpenSSH are possible to make the configuration more secure. In /etc/ssh/sshd_config.d, create a new file paste_service.conf with the following content (It is assumed that the username is _paste_user.):

Match User _paste_user
    PermitTTY no
    ForceCommand internal-sftp
    ChrootDirectory %h
    AuthorizedKeysFile /etc/ssh/authrized_keys/_upload_user


PermitTTY:	Prevents the pty allocation for a terminal session.
ForceCommand:	Allows only the execution of `internal-sftp`.
ChrootDirectory:	Chroots to the user’s home directory after the authentication.
AuthorizedKeysFile:	Specifies where the public key is located for that user.

Another consideration that everyone needs to decide for themselves is whether directory listing should be allowed on the web server. Directory listing can disclose all uploaded files.

Tags: