mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount –bind /
useradd -g tomcat -s /sbin/nologin ${USER}
sshd_config
Match Group tomcat
AllowTcpForwarding no
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u
All folder must have permission as 777, so I ran:
find /
Pay attention to the mount binds (should not be missing nor have duplicates)
mount -l |grep home
#!/bin/bash
#
# Auto setup users for SFTP with chroot for tomcat
# Felipe Ferreira 02/2018
#
#EDIT ONLY HERE format
::
USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
PASS=$(echo "$U" |awk -F":" '{ print $3}')
#IF EXIST DELETE IT
if [[ $(grep -c "${USER}" /etc/passwd) == 1 ]]; then
userdel $USER
fi
echo "Setup for user $USER dir $DIR and pass $PASS"
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /${DIR} /sftp/root/${USER}/home
useradd -g tomcat -s /sbin/nologin ${USER}
echo "${USER}:${PASS}" | chpasswd
id $USER
ls -la /sftp/root/${USER}/home
echo "done for $USER"
echo -e "--------------------------------------------------------\n"
done
#add chroot definition group to /etc/sshd/sshd_conf if not found
if [[ $(grep -c "tomcat" /etc/ssh/sshd_config) == 1 ]]; then
echo "SSHD Already configured"
else
echo "Configuring sshd"
cat </etc/ssh/sshd_config
Match Group tomcat
AllowTcpForwarding no
AuthorizedKeysFile /sftp/root/%u/.ssh/authorized_keys
ForceCommand internal-sftp -u 0002 -d home
ChrootDirectory /sftp/root/%u
EOF
service sshd reload
fi
echo "DONE"
exit 0
VIA PUBLIC KEY AUTHENTCIATION
Insert the Remote Public key into: authorized_keys
Configure the permissions correctly, example:
mkdir /sftp/root/user/.ssh
chown .tomcat /sftp/root/user.ssh
chmod 400 /sftp/root/user/.ssh/authorized_keys
chown user.tomcat /sftp/root/user/.ssh/authorized_keys
chmod 700 /sftp/root/user/.ssh
Client Automation
On the client side we can have automation using a few different methods, for example:
Public Key and sftp
echo “put /tmp/1 dati/” | sftp -oIdentityFile=/root/.ssh/id_rsa user@
or using the non secure way with lftp
lftp sftp://
Check/Create Mount Script (can be inserted on server startup like /etc/rc.local )
#!/bin/bash
#
# Auto setup mount bind on boot time
# Felipe Ferreira 02/2018
#
#EDIT ONLY HERE format ::
USERS="userdir1:usertest1:passtest321 userdir2:usertest2:passtest321"
#DONE EDIT
for U in $USERS ;
do
DIR=$(echo "$U" |awk -F":" '{ print $1}')
USER=$(echo "$U" |awk -F":" '{ print $2}')
if [[ $( mount -l |grep -c "/tomcat/${DIR}") == 0 ]]; then
echo "Setup mount bind for user $USER dir $DIR "
mkdir -v -p /sftp/root/${USER}/home
chown root.root /sftp/root/${USER}
mount --bind /tomcat/${DIR} /sftp/root/${USER}/home
fi
done
exit 0
hope this helps someone 🙂
]]>