SFTP configuration and user management scripts in Linux

The company needs to establish an FTP to manage the client's file upload, in order to security we intend to adopt SFTP, and request each customer through Sshkey landing.
Perhaps you will say: "SFTP do not need to configure Ah, there is ssh directly can be used." Yes, but we don't want users to be able to log on to our servers via SSH, we want each customer to manage their own files through SFTP, and we want to unify the directory for all our customers. With such a requirement, the default SSH configuration is not satisfied.

Here is the configuration step for SFTP and a user management script I wrote:

1. Modify SFTP Related configuration

$ sudo vim/etc/ssh/sshd_config

The code is as follows	Copy Code
# Override default of No subsystems #Subsystem Sftp/usr/libexec/openssh/sftp-server subsystem SFTP INTERNAL-SFTP Match Group Sftpusers Chrootdirectory/home/sftp/%u Forcecommand internal-sftp $ sudo/etc/init.d/sshd Restart

2. Create User Management scripts

The code is as follows

Copy Code

$ sudo vim sftpusers.sh #!/bin/bash # # Manage SFTP users for customers # # Author:dong Guo # Last modified:2013/09/06 by Dong Guo userfile=/etc/passwd Groupfile=/etc/group Homedir=/home/sftp Loginshell=/sbin/nologin Groupname=sftpusers Username=$2 function Check_root () { If [$EUID-ne 0]; Then echo "This script must is run as root" 1>&2 Exit 1 Fi } function Print_help () { #Print Help messages then exit echo "Usage: $ {create|disable|enable|passwd|sshkey|delete} {username}" >&2 Exit 1 } function Check_usergroup () { #Create UserGroup if not exist Cut-d:-F 1 $groupfile | Grep-wq $groupname If [$?-ne 0];then Groupadd $groupname Fi } function Check_homedir () { #Create Homedir if not exist if [!-d "$homedir"];then mkdir $homedir Fi } function Check_username_exist () { #Check if user already exist Cut-d:-F 1 $userfile | Grep-wq $username If [$?-eq 0];then echo "User $username already exist." && exit Fi } function Check_username_notexist () { #Check if user not exist Cut-d:-F 1 $userfile | Grep-wq $username If [$?-ne 0];then echo "User $username not exist." && exit Fi } Function check_user_disabled () {   #Check if user already disabled   lockfile= $homedir/$username/ sftpuser.locked   If [-a "$lockfile"]; then     echo "User $username already disabled." ;& exit   fi } function Update_sshkey () { #Get the Sshkey Echo-n "Input Sshkey:" Read Sshkey #Check if Sshkey is empty If [-Z "$sshkey"];then echo "Empty sshkey." && exit Fi #Check if Sshkey not correct echo $sshkey | Grep-ewq ' ^ssh-rsa|^ssh-dss ' If [$?-ne 0];then echo "String" Ssh-rsa "or" SSH-DSS "not found." && exit Fi mkdir $homedir/$username/.ssh chmod $homedir/$username/.ssh echo "$sshkey" > $homedir/$username/.ssh/authorized_keys chmod $homedir/$username/.ssh/authorized_keys Chown-r $username: $groupname $homedir/$username/.ssh } If [$#!= 2];then Print_help Fi Check_root Check_usergroup Check_homedir Case "$" in ' Create ') Check_username_exist Useradd-m-D "$homedir/$username"-G $groupname-S $loginshell-C "$username sftp" $username chmod 755 $homedir/$username Chown root:root $homedir/$username If [$?-eq 0]; Then echo "User $username was created." Fi ;; ' Disable ') Check_username_notexist Passwd-l $username Touch $homedir/$username/sftpuser.locked authfile= $homedir/$username/.ssh/authorized_keys If [-a "$authfile"]; Then MV $authfile $authfile. Disabled Fi If [$?-eq 0]; Then echo "User $username was disabled." Fi ;; ' Enable ') Check_username_notexist Passwd-u $username Rm-f $homedir/$username/sftpuser.locked authfile= $homedir/$username/.ssh/authorized_keys If [-a "$authfile. Disabled"]; Then MV $authfile. Disabled $authfile Fi If [$?-eq 0]; Then echo "User $username was enabled." Fi ;; ' Delete ') Check_username_notexist Echo-n "Delete all the data and account of user $username? [Yes|no] " Read Yesorno If ["$yesorno" = "yes"];then USERDEL-RF $username If [$?-eq 0]; Then echo "User $username was deleted." Fi Fi ;; ' passwd ') Check_username_notexist Check_user_disabled passwd $username ;; ' Sshkey ') Check_username_notexist Check_user_disabled Update_sshkey If [$?-eq 0]; Then echo "The Sshkey of user $username was updated." Fi ;; *) Print_help ;; Esac $ sudo chmod +x sftpusers.sh

3. Create SFTP users and test

$./sftpusers.sh

The code is as follows	Copy Code
1 Usage:./sftpusers.sh {Create|disable|enable|passwd|sshkey|delete} {username}

Create a user

The code is as follows

Copy Code

$./sftpusers.sh Create Facebook This script must is run as root $ sudo./sftpusers.sh Create Facebook User Facebook was created. $ id Facebook uid=504 (Facebook) gid=503 (sftpusers) groups=503 (sftpusers) $ grep facebook/etc/passwd Facebook:x:504:503:facebook sftp:/home/sftp/facebook:/sbin/nologin Disable user $ sudo./sftpusers.sh Disable Facebook Locking password for user Facebook. Passwd:success User Facebook was disabled.

Modify User Key

code is as follows

copy code

$ sudo./ sftpusers.sh sshkey Facebook User Facebook already disabled. $ sudo./sftpusers.sh enable Facebook Unlocking password for user Facebook. User Facebook was enabled. $ sudo./sftpusers.sh sshkey Facebook Input Sshkey:ssh-rsa aaaab3nzac1yc2eaaaabiwaaaqea7g/9+ vddcvzhpebslonr3fcour0zlykbcmg7n Facebook@us The Sshkey of user Facebook was updated. $ sudo ls-l/home/sftp/facebook/.ssh/authorized_keys -RW-------1 Facebook sftpusers 397 sep  5 19:40/home/sftp/facebook/.ssh/authorized_keys

Connect SFTP

The code is as follows	Copy Code
$ sftp Facebook@sftpserver Connecting to Sftpserver ... Sftp> ls-a . .. . bash_logout. bash_profile. bashrc. SSH sftp> CD. SSH Sftp> ls Authorized_keys Sftp> exit

Delete User

code is as follows	copy code
$ sudo./ sftpusers.sh Delete Facebook Delete all the data and account of user Facebook? [Yes|no] Yes User Facebook was deleted. $ sudo./sftpusers.sh Delete Facebook User Facebook not exist. $ id Facebook Id:facebook:No such user