Created
October 5, 2017 00:17
-
-
Save kmddevdani/b7687a74dacb250eda7b8e2f65f1c906 to your computer and use it in GitHub Desktop.
Creates chrooted user with real scp and ssh access on a amazon linux ec2 instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance | |
# | |
# 2017-10-05 | |
# | |
# change username and password here: | |
username="abc" | |
password="123456" | |
# create groups | |
groupadd sftp | |
# create chrooted user | |
useradd -m $username -G sftp | |
echo $username:$password | chpasswd | |
# enable password authentication in sshd | |
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot | |
cat /etc/ssh/sshd_config | sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config | |
mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config | |
# disable default sftp subsystem configuration in sshd | |
sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config | |
# add sftp subsystem configuration to sshd | |
echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config | |
echo "Match Group sftp" >> /etc/ssh/sshd_config | |
echo " ChrootDirectory %h" >> /etc/ssh/sshd_config | |
echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config | |
# restart ssh service | |
/etc/init.d/sshd restart | |
# create the chrooted directory structure | |
mkdir /home/$username/bin | |
mkdir /home/$username/dir | |
mkdir /home/$username/usr | |
mkdir /home/$username/usr/bin | |
mkdir /home/$username/usr/libexec | |
mkdir /home/$username/usr/libexec/openssh | |
mkdir /home/$username/lib/ | |
mkdir /home/$username/etc | |
mkdir /home/$username/dev | |
mkdir /home/$username/dev/pts | |
# copy all dependencies | |
cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/$username | |
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/$username | |
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/$username | |
cp --parents `ldd /bin/ls | cut -d " " -f 3` /home/$username/ | |
cp /usr/lib64/libnss3.so /home/$username/lib64/ | |
cp /usr/lib64/libtic.so.5 /home/$username/lib64/ | |
cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/ | |
cp /usr/lib64/libssl3.so /home/$username/lib64/ | |
cp /bin/bash /home/$username/bin/ | |
cp /usr/bin/scp /home/$username/usr/bin/scp | |
cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/ | |
cp /bin/ls /home/$username/bin/ | |
cp /lib64/libnss* /home/$username/lib64/ | |
cp /usr/lib64/libnss* /home/$username/usr/lib64/ | |
cp --parents `find . -type f -exec ldd '{}' \; | awk '{print $3}' | sort | uniq | grep -v '('` /home/$username/ | |
cp -vf /etc/{passwd,group} /home/$username/etc/ | |
cp -r /etc/ld.so* /home/$username/etc/ | |
# create non-files | |
mknod -m 666 /home/$username/dev/null c 1 3 | |
mknod -m 666 /home/$username/dev/tty c 5 0 | |
mknod -m 666 /home/$username/dev/zero c 1 5 | |
mknod -m 666 /home/$username/dev/random c 1 8 | |
mount --bind /dev/pts /home/$username/dev/pts | |
# get the directory permissions right | |
chown $username.$username /home/$username/. -R | |
chmod 0755 /home/$username/bin | |
chmod 0666 /home/$username/.bashrc | |
chown root.root /home/$username | |
chmod 0755 /home/$username |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment