Actualiser miscellaneous/sftp_chroot.sh
This commit is contained in:
Philippe Favre
@@ -11,7 +11,7 @@
|
||||
# and apply the SSH settings to restrict the user to SFTP access only. Finally, it will restart the SSH service to
|
||||
# apply the changes.
|
||||
|
||||
# Check if the script is run as root
|
||||
# Check if the script is executed with root privileges
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script must be run as root."
|
||||
exit 1
|
||||
@@ -20,28 +20,38 @@ fi
|
||||
# Prompt for the SFTP username
|
||||
read -p "Enter the SFTP username: " USERNAME
|
||||
|
||||
# Create a new user with the /bin/false shell to restrict command-line access
|
||||
# Create the user with /bin/false shell to limit access
|
||||
useradd -m -d /sftp/$USERNAME -s /bin/false $USERNAME
|
||||
|
||||
# Create the chroot environment in /sftp and necessary directories
|
||||
mkdir -p /sftp/$USERNAME # Root directory of the user in the chroot environment
|
||||
mkdir -p /sftp/$USERNAME/upload # Upload directory for file transfers
|
||||
mkdir -p /sftp/$USERNAME/.ssh # Directory for SSH keys
|
||||
# Create the chroot environment in /sftp
|
||||
mkdir -p /sftp/$USERNAME
|
||||
mkdir -p /sftp/$USERNAME/upload
|
||||
mkdir -p /sftp/$USERNAME/.ssh
|
||||
|
||||
# Set permissions for the chroot directory
|
||||
chown root:root /sftp/$USERNAME # The main chroot directory must be owned by root
|
||||
chmod 755 /sftp/$USERNAME # Allows read and execute access, but no write access for the user
|
||||
chown $USERNAME:$USERNAME /sftp/$USERNAME/upload # User can write to their upload directory
|
||||
chown root:root /sftp/$USERNAME
|
||||
chmod 755 /sftp/$USERNAME
|
||||
chown $USERNAME:$USERNAME /sftp/$USERNAME/upload
|
||||
|
||||
# Create the authorized_keys file for SSH key-based authentication
|
||||
# Create the authorized_keys file
|
||||
touch /sftp/$USERNAME/.ssh/authorized_keys
|
||||
chmod 700 /sftp/$USERNAME/.ssh # Restrict access to .ssh directory for security
|
||||
chmod 600 /sftp/$USERNAME/.ssh/authorized_keys # Restrict permissions on authorized_keys
|
||||
chown -R $USERNAME:$USERNAME /sftp/$USERNAME/.ssh # Ensure user ownership on .ssh
|
||||
chmod 700 /sftp/$USERNAME/.ssh
|
||||
chmod 600 /sftp/$USERNAME/.ssh/authorized_keys
|
||||
chown -R $USERNAME:$USERNAME /sftp/$USERNAME/.ssh
|
||||
|
||||
echo "User $USERNAME has been successfully set up in a chroot environment."
|
||||
echo "User $USERNAME has been successfully configured in a chroot environment."
|
||||
|
||||
# Update sshd_config to configure the chroot jail for this user if not already present
|
||||
# Add SFTP configuration to sshd_config if necessary
|
||||
if ! grep -q "Match User $USERNAME" /etc/ssh/sshd_config; then
|
||||
echo -e "\n# SFTP Configuration for $USERNAME" >> /etc/ssh/sshd_config
|
||||
echo "Match User
|
||||
echo -e "\n# SFTP configuration for $USERNAME" >> /etc/ssh/sshd_config
|
||||
echo "Match User $USERNAME" >> /etc/ssh/sshd_config
|
||||
echo " ChrootDirectory /sftp/$USERNAME" >> /etc/ssh/sshd_config
|
||||
echo " ForceCommand internal-sftp" >> /etc/ssh/sshd_config
|
||||
echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config
|
||||
echo " PermitTunnel no" >> /etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
# Restart the SSH service
|
||||
systemctl restart ssh
|
||||
|
||||
echo "Chroot jail for $USERNAME configured successfully. You can now add SSH keys in /sftp/$USERNAME/.ssh/authorized_keys"
|
||||
Reference in New Issue
Block a user