Created
January 22, 2025 03:18
-
-
Save ingmarioalberto/93a8a265a894f443f647559fa997e822 to your computer and use it in GitHub Desktop.
SFTP with user home jailed wihout "upload" directory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
step zero: maybe you should create groups to match users if not already created. | |
First we need to add users, and most users will ask you to create those users with certain uid, gid, etc, in this case my user ask me to import this file: | |
----cut here---- | |
pt001:x:1101:1100:Some comment about this user pte:/dirhome/ptuserone:/bin/bash | |
pt002:x:1102:1100:Some comment about this user another user:/home/ptusertwo:/sbin/nologin | |
... | |
... | |
... | |
----cut here---- | |
So we build this importer for these kind of user's proactivities | |
usage: | |
bash importer-etc-passwd-and-sftp-jail.sh user-generated-etc-passwd-file.txt | |
at the end, you just need to copy and paste some outputted text to /etc/ssh/sshd_config at the very end. | |
(do not forget to restart sshd server) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
function sshd_modify_match { | |
echo "1:$1" | |
echo "2:$2" | |
echo "3:$3" | |
echo "Match User $1 | |
ChrootDirectory $2 | |
ForceCommand internal-sftp | |
AllowTcpForwarding no | |
X11Forwarding no" | tee -a $3 | |
} | |
function myuseradd { | |
echo useradd -u $2 -g $3 -c "$4" -m "$5" -s "$6" $1 | |
stat ${home} || mkdir -p ${home} | |
useradd -u $2 -g $3 -c "$4" -m -d "$5" -s "$6" $1 | |
grpname=$(groups "$1" | cut -d ":" -f2 | awk '{print $1}') | |
chown root.root "$5" | |
chmod 750 "$5" | |
setfacl -m u:$1:rwX "$5" | |
sshd_modify_match "$1" "$5" "$7" | |
} | |
TEMP=$(mktemp) | |
while read LINE; do | |
user=$(echo ${LINE} | cut -d ":" -f1) | |
uid=$(echo ${LINE} | cut -d ":" -f3) | |
gid=$(echo ${LINE} | cut -d ":" -f4) | |
fng=$(echo ${LINE} | cut -d ":" -f5) | |
home=$(echo ${LINE} | cut -d ":" -f6) | |
shl=$(echo ${LINE} | cut -d ":" -f7) | |
#grep -e "${user}" /etc/passwd && echo "user already exists ${user}" || | |
myuseradd ${user} $uid $gid "${fng}" "${home}" $shl $TEMP | |
done < $1 | |
echo "------cut here and paste into /etc/ssh/sshd_config----" | |
echo "Subsystem sftp internal-sftp" | |
cat $TEMP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment