chroot mount bind

Using Linux SSHD CHROOT its is possibile to make the user not just have its own locked sftp space
but also to make him login and auto change to this final folder.

In my case users needed to land inside a tomcat folder located localy.


mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind //${DIR} /sftp/root/${USER}/home
useradd -g tomcat -s /sbin/nologin ${USER}

sshd_config

Match Group tomcat
AllowTcpForwarding no
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u

All folder must have permission as 777, so I ran:

find //${DIR} -type d -exec chmod 777 '{}' \;

Pay attention to the mount binds (should not be missing nor have duplicates)
mount -l |grep home


#!/bin/bash
#
# Auto setup users for SFTP with chroot for tomcat
# Felipe Ferreira 02/2018
#
#EDIT ONLY HERE format

:: USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
PASS=$(echo "$U" |awk -F":" '{ print $3}')
#IF EXIST DELETE IT
if [[ $(grep -c "${USER}" /etc/passwd) == 1 ]]; then
userdel $USER
fi
echo "Setup for user $USER dir $DIR and pass $PASS"
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /${DIR} /sftp/root/${USER}/home
useradd -g tomcat -s /sbin/nologin ${USER}
echo "${USER}:${PASS}" | chpasswd
id $USER
ls -la /sftp/root/${USER}/home
echo "done for $USER"
echo -e "--------------------------------------------------------\n"
done
#add chroot definition group to /etc/sshd/sshd_conf if not found
if [[ $(grep -c "tomcat" /etc/ssh/sshd_config) == 1 ]]; then
echo "SSHD Already configured"
else
echo "Configuring sshd"
cat </etc/ssh/sshd_config
Match Group tomcat
AllowTcpForwarding no
AuthorizedKeysFile /sftp/root/%u/.ssh/authorized_keys
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u
EOF
service sshd reload
fi
echo "DONE"
exit 0

VIA PUBLIC KEY AUTHENTCIATION

Insert the Remote Public key into: authorized_keys
Configure the permissions correctly, example:

mkdir /sftp/root/user/.ssh
chown .tomcat /sftp/root/user.ssh
chmod 400 /sftp/root/user/.ssh/authorized_keys
chown user.tomcat /sftp/root/user/.ssh/authorized_keys
chmod 700 /sftp/root/user/.ssh

Client Automation
On the client side we can have automation using a few different methods, for example:
Public Key and sftp
echo “put /tmp/1 dati/” | sftp -oIdentityFile=/root/.ssh/id_rsa user@
or using the non secure way with lftp
lftp sftp://:@ -e “cd dati ; put /tmp/1; bye”

Check/Create Mount Script (can be inserted on server startup like /etc/rc.local )


#!/bin/bash
#
# Auto setup mount bind on boot time
# Felipe Ferreira 02/2018
#

#EDIT ONLY HERE format

:: USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
#DONE EDIT

for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
if [[ $( mount -l |grep -c "/tomcat/${DIR}") == 0 ]]; then
echo "Setup mount bind for user $USER dir $DIR "
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /tomcat/${DIR} /sftp/root/${USER}/home
fi
done
exit 0

hope this helps someone 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

VAMOVE *

*