1. - SFTP User Home Folder Permission has to be 755 (Users can’t see another user’s directories anyway)
2. - SFTP Users will have no shell (Linux server) access (as it’s not allowed with chroot sftp environment) so it’s better to set default user (sftp user) shell to /bin/false for security reasons.
3. - SFTP Group shouldn’t be added later (better to use only one group for all sftp users) because it would require a restart of sshd daemon, we should not do it once moved to Production. Also, there would be no use of having multiple groups for chrooted sftp user as they can’t access any other directory (other then their chrooted work directory) in any way.
4. -Users (Not the SFTP Users) with shell access (ie.Hadoop Team) should have sudo permissions to see all the /chroots/ folder (as they are working on all the files)
Following is the script to configure sftp-only users.
#!/bin/bash
#sftponly_user_creation.sh
: ${1?
"Kindly Specify User That You Wish To Add As CHROOTED SFTPONLY User! Script Usage: $0 "
}
GRP=sdp
FUSER=$1
if ! id $FUSER
then
echo "NO USER $FUSER FOUND. CREATING IT......"
useradd -d /chroots/$FUSER -g $GRP -s /bin/false $FUSER
else
usermod -d /chroots/$FUSER -g $GRP -s /bin/false $FUSER
fi
mkdir -p /chroots/$FUSER
chmod -R 755 /chroots/$FUSER
mkdir /chroots/$FUSER/work
chown root:root /chroots/$FUSER
chown $FUSER:$GRP /chroots/$FUSER/work
passwd $FUSER
chage -d 0 $FUSER
#End of script
No comments:
Post a Comment