mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount –bind //${DIR} /sftp/root/${USER}/home
useradd -g tomcat -s /sbin/nologin ${USER}

sshd_config

Match Group tomcat
AllowTcpForwarding no
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u

All folder must have permission as 777, so I ran:

find //${DIR} -type d -exec chmod 777 '{}' \;

Pay attention to the mount binds (should not be missing nor have duplicates)
mount -l |grep home

#!/bin/bash
#
# Auto setup users for SFTP with chroot for tomcat
# Felipe Ferreira 02/2018
#
#EDIT ONLY HERE format

:: USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
PASS=$(echo "$U" |awk -F":" '{ print $3}')
#IF EXIST DELETE IT
if [[ $(grep -c "${USER}" /etc/passwd) == 1 ]]; then
userdel $USER
fi
echo "Setup for user $USER dir $DIR and pass $PASS"
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /${DIR} /sftp/root/${USER}/home
useradd -g tomcat -s /sbin/nologin ${USER}
echo "${USER}:${PASS}" | chpasswd
id $USER
ls -la /sftp/root/${USER}/home
echo "done for $USER"
echo -e "--------------------------------------------------------\n"
done
#add chroot definition group to /etc/sshd/sshd_conf if not found
if [[ $(grep -c "tomcat" /etc/ssh/sshd_config) == 1 ]]; then
echo "SSHD Already configured"
else
echo "Configuring sshd"
cat </etc/ssh/sshd_config
Match Group tomcat
AllowTcpForwarding no
AuthorizedKeysFile /sftp/root/%u/.ssh/authorized_keys
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u
EOF
service sshd reload
fi
echo "DONE"
exit 0

VIA PUBLIC KEY AUTHENTCIATION
Insert the Remote Public key into: authorized_keys
Configure the permissions correctly, example:

mkdir /sftp/root/user/.ssh
chown .tomcat /sftp/root/user.ssh
chmod 400 /sftp/root/user/.ssh/authorized_keys
chown user.tomcat /sftp/root/user/.ssh/authorized_keys
chmod 700 /sftp/root/user/.ssh

Client Automation
On the client side we can have automation using a few different methods, for example:
Public Key and sftp
echo “put /tmp/1 dati/” | sftp -oIdentityFile=/root/.ssh/id_rsa user@
or using the non secure way with lftp
lftp sftp://:@ -e “cd dati ; put /tmp/1; bye”
Check/Create Mount Script (can be inserted on server startup like /etc/rc.local )

#!/bin/bash
#
# Auto setup mount bind on boot time
# Felipe Ferreira 02/2018
#
#EDIT ONLY HERE format
:: USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
#DONE EDIT
for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
if [[ $( mount -l |grep -c "/tomcat/${DIR}") == 0 ]]; then
echo "Setup mount bind for user $USER dir $DIR "
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /tomcat/${DIR} /sftp/root/${USER}/home
fi
done
exit 0

hope this helps someone 🙂
]]>

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *