lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser miscellaneous/sftp_chroot.sh

Browse Source
This commit is contained in:
Philippe Favre
2024-10-31 23:04:46 +01:00
parent b533d13329
commit ebd8f77b86
1 changed files with 27 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
miscellaneous/sftp_chroot.sh
View File

@@ -11,7 +11,7 @@
# and apply the SSH settings to restrict the user to SFTP access only. Finally, it will restart the SSH service to # and apply the SSH settings to restrict the user to SFTP access only. Finally, it will restart the SSH service to
# apply the changes. # apply the changes.
# Check if the script is run as root # Check if the script is executed with root privileges
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root." echo "This script must be run as root."
exit 1 exit 1
@@ -20,28 +20,38 @@ fi
# Prompt for the SFTP username # Prompt for the SFTP username
read -p "Enter the SFTP username: " USERNAME read -p "Enter the SFTP username: " USERNAME
# Create a new user with the /bin/false shell to restrict command-line access # Create the user with /bin/false shell to limit access
useradd -m -d /sftp/$USERNAME -s /bin/false $USERNAME useradd -m -d /sftp/$USERNAME -s /bin/false $USERNAME
# Create the chroot environment in /sftp and necessary directories # Create the chroot environment in /sftp
mkdir -p /sftp/$USERNAME # Root directory of the user in the chroot environment mkdir -p /sftp/$USERNAME
mkdir -p /sftp/$USERNAME/upload # Upload directory for file transfers mkdir -p /sftp/$USERNAME/upload
mkdir -p /sftp/$USERNAME/.ssh # Directory for SSH keys mkdir -p /sftp/$USERNAME/.ssh
# Set permissions for the chroot directory # Set permissions for the chroot directory
chown root:root /sftp/$USERNAME # The main chroot directory must be owned by root chown root:root /sftp/$USERNAME
chmod 755 /sftp/$USERNAME # Allows read and execute access, but no write access for the user chmod 755 /sftp/$USERNAME
chown $USERNAME:$USERNAME /sftp/$USERNAME/upload # User can write to their upload directory chown $USERNAME:$USERNAME /sftp/$USERNAME/upload
# Create the authorized_keys file for SSH key-based authentication # Create the authorized_keys file
touch /sftp/$USERNAME/.ssh/authorized_keys touch /sftp/$USERNAME/.ssh/authorized_keys
chmod 700 /sftp/$USERNAME/.ssh # Restrict access to .ssh directory for security chmod 700 /sftp/$USERNAME/.ssh
chmod 600 /sftp/$USERNAME/.ssh/authorized_keys # Restrict permissions on authorized_keys chmod 600 /sftp/$USERNAME/.ssh/authorized_keys
chown -R $USERNAME:$USERNAME /sftp/$USERNAME/.ssh # Ensure user ownership on .ssh chown -R $USERNAME:$USERNAME /sftp/$USERNAME/.ssh
echo "User $USERNAME has been successfully set up in a chroot environment." echo "User $USERNAME has been successfully configured in a chroot environment."
# Update sshd_config to configure the chroot jail for this user if not already present # Add SFTP configuration to sshd_config if necessary
if ! grep -q "Match User $USERNAME" /etc/ssh/sshd_config; then if ! grep -q "Match User $USERNAME" /etc/ssh/sshd_config; then
echo -e "\n# SFTP Configuration for $USERNAME" >> /etc/ssh/sshd_config echo -e "\n# SFTP configuration for $USERNAME" >> /etc/ssh/sshd_config
echo "Match User echo "Match User $USERNAME" >> /etc/ssh/sshd_config
echo " ChrootDirectory /sftp/$USERNAME" >> /etc/ssh/sshd_config
echo " ForceCommand internal-sftp" >> /etc/ssh/sshd_config
echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config
echo " PermitTunnel no" >> /etc/ssh/sshd_config
fi
# Restart the SSH service
systemctl restart ssh
echo "Chroot jail for $USERNAME configured successfully. You can now add SSH keys in /sftp/$USERNAME/.ssh/authorized_keys"