Monday, March 20, 2017

Script to configure chrooted sftp-only users.

1.      - SFTP User Home Folder Permission has to be 755 (Users can’t see another user’s directories anyway)
2.       -  SFTP Users will have no shell (Linux server) access (as it’s not allowed with chroot sftp environment) so  it’s better to set default user (sftp user) shell to /bin/false for security reasons.
3.      -  SFTP Group shouldn’t be added later (better to use only one group for all sftp users) because it would require a restart of sshd daemon, we should not do it once moved to Production. Also, there would be no use of having multiple groups for chrooted sftp user as they can’t access any other directory (other then their chrooted work directory) in any way.
4.       -Users (Not the SFTP Users) with shell access (ie.Hadoop Team) should have sudo permissions to see all the /chroots/ folder (as they are working on all the files)

Following is the script to configure sftp-only users.


#!/bin/bash
#sftponly_user_creation.sh

: ${1?


"Kindly Specify User That You Wish To Add As CHROOTED SFTPONLY User! Script Usage: $0 "

}

GRP=sdp
FUSER=$1

if ! id $FUSER
        then
        echo "NO USER $FUSER FOUND. CREATING IT......"
        useradd -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER
        else
        usermod -d /chroots/$FUSER  -g $GRP -s /bin/false $FUSER
fi

mkdir -p /chroots/$FUSER
chmod -R 755 /chroots/$FUSER
mkdir /chroots/$FUSER/work
chown root:root  /chroots/$FUSER
chown $FUSER:$GRP /chroots/$FUSER/work
passwd $FUSER
chage -d 0 $FUSER

#End of script

No comments:

Post a Comment