SFTP configuration and user management scripts in Linux

Source: Internet
Author: User
Tags chmod mkdir ssh

The company needs to establish an FTP to manage the client's file upload, in order to security we intend to adopt SFTP, and request each customer through Sshkey landing.
Perhaps you will say: "SFTP do not need to configure Ah, there is ssh directly can be used." Yes, but we don't want users to be able to log on to our servers via SSH, we want each customer to manage their own files through SFTP, and we want to unify the directory for all our customers. With such a requirement, the default SSH configuration is not satisfied.

Here is the configuration step for SFTP and a user management script I wrote:

1. Modify SFTP Related configuration

$ sudo vim/etc/ssh/sshd_config

The code is as follows Copy Code

# Override default of No subsystems
#Subsystem Sftp/usr/libexec/openssh/sftp-server
subsystem SFTP INTERNAL-SFTP

Match Group Sftpusers
Chrootdirectory/home/sftp/%u
Forcecommand internal-sftp


$ sudo/etc/init.d/sshd Restart

2. Create User Management scripts

The code is as follows Copy Code

$ sudo vim sftpusers.sh

#!/bin/bash
#
# Manage SFTP users for customers
#
# Author:dong Guo
# Last modified:2013/09/06 by Dong Guo

userfile=/etc/passwd
Groupfile=/etc/group
Homedir=/home/sftp
Loginshell=/sbin/nologin
Groupname=sftpusers
Username=$2

function Check_root ()
{
If [$EUID-ne 0]; Then
echo "This script must is run as root" 1>&2
Exit 1
Fi
}

function Print_help () {
#Print Help messages then exit
echo "Usage: $ {create|disable|enable|passwd|sshkey|delete} {username}" >&2
Exit 1
}

function Check_usergroup () {
#Create UserGroup if not exist
Cut-d:-F 1 $groupfile | Grep-wq $groupname
If [$?-ne 0];then
Groupadd $groupname
Fi
}

function Check_homedir () {
#Create Homedir if not exist
if [!-d "$homedir"];then
mkdir $homedir
Fi
}

function Check_username_exist () {
#Check if user already exist
Cut-d:-F 1 $userfile | Grep-wq $username
If [$?-eq 0];then
echo "User $username already exist." && exit
Fi
}

function Check_username_notexist () {
#Check if user not exist
Cut-d:-F 1 $userfile | Grep-wq $username
If [$?-ne 0];then
echo "User $username not exist." && exit
Fi
}

Function check_user_disabled () {
  #Check if user already disabled
  lockfile= $homedir/$username/ sftpuser.locked
  If [-a "$lockfile"]; then
    echo "User $username already disabled." ;& exit
  fi
}

function Update_sshkey () {
#Get the Sshkey
Echo-n "Input Sshkey:"
Read Sshkey
#Check if Sshkey is empty
If [-Z "$sshkey"];then
echo "Empty sshkey." && exit
Fi
#Check if Sshkey not correct
echo $sshkey | Grep-ewq ' ^ssh-rsa|^ssh-dss '
If [$?-ne 0];then
echo "String" Ssh-rsa "or" SSH-DSS "not found." && exit
Fi
mkdir $homedir/$username/.ssh
chmod $homedir/$username/.ssh
echo "$sshkey" > $homedir/$username/.ssh/authorized_keys
chmod $homedir/$username/.ssh/authorized_keys
Chown-r $username: $groupname $homedir/$username/.ssh
}


If [$#!= 2];then
Print_help
Fi

Check_root
Check_usergroup
Check_homedir

Case "$" in
' Create ')
Check_username_exist
Useradd-m-D "$homedir/$username"-G $groupname-S $loginshell-C "$username sftp" $username
chmod 755 $homedir/$username
Chown root:root $homedir/$username
If [$?-eq 0]; Then
echo "User $username was created."
Fi
;;

' Disable ')
Check_username_notexist
Passwd-l $username
Touch $homedir/$username/sftpuser.locked
authfile= $homedir/$username/.ssh/authorized_keys
If [-a "$authfile"]; Then
MV $authfile $authfile. Disabled
Fi
If [$?-eq 0]; Then
echo "User $username was disabled."
Fi
;;

' Enable ')
Check_username_notexist
Passwd-u $username
Rm-f $homedir/$username/sftpuser.locked
authfile= $homedir/$username/.ssh/authorized_keys
If [-a "$authfile. Disabled"]; Then
MV $authfile. Disabled $authfile
Fi
If [$?-eq 0]; Then
echo "User $username was enabled."
Fi
;;

' Delete ')
Check_username_notexist
Echo-n "Delete all the data and account of user $username? [Yes|no] "
Read Yesorno
If ["$yesorno" = "yes"];then
USERDEL-RF $username
If [$?-eq 0]; Then
echo "User $username was deleted."
Fi
Fi
;;

' passwd ')
Check_username_notexist
Check_user_disabled
passwd $username
;;

' Sshkey ')
Check_username_notexist
Check_user_disabled
Update_sshkey
If [$?-eq 0]; Then
echo "The Sshkey of user $username was updated."
Fi
;;

*)
Print_help
;;
Esac

$ sudo chmod +x sftpusers.sh

3. Create SFTP users and test

$./sftpusers.sh

The code is as follows Copy Code

1 Usage:./sftpusers.sh {Create|disable|enable|passwd|sshkey|delete} {username}

Create a user

The code is as follows Copy Code

$./sftpusers.sh Create Facebook

This script must is run as root

$ sudo./sftpusers.sh Create Facebook

User Facebook was created.

$ id Facebook

uid=504 (Facebook) gid=503 (sftpusers) groups=503 (sftpusers)

$ grep facebook/etc/passwd

Facebook:x:504:503:facebook sftp:/home/sftp/facebook:/sbin/nologin Disable user

$ sudo./sftpusers.sh Disable Facebook

Locking password for user Facebook.
Passwd:success
User Facebook was disabled.


Modify User Key

  code is as follows copy code

$ sudo./ sftpusers.sh sshkey Facebook

User Facebook already disabled.


$ sudo./sftpusers.sh enable Facebook

Unlocking password for user Facebook.
User Facebook was enabled.


$ sudo./sftpusers.sh sshkey Facebook

Input Sshkey:ssh-rsa aaaab3nzac1yc2eaaaabiwaaaqea7g/9+ vddcvzhpebslonr3fcour0zlykbcmg7n Facebook@us
The Sshkey of user Facebook was updated.

$ sudo ls-l/home/sftp/facebook/.ssh/authorized_keys

-RW-------1 Facebook sftpusers 397 sep  5 19:40/home/sftp/facebook/.ssh/authorized_keys

Connect SFTP

The code is as follows Copy Code

$ sftp Facebook@sftpserver

Connecting to Sftpserver ...
Sftp> ls-a
. .. . bash_logout. bash_profile. bashrc. SSH
sftp> CD. SSH
Sftp> ls
Authorized_keys
Sftp> exit

Delete User

  code is as follows copy code

$ sudo./ sftpusers.sh Delete Facebook

Delete all the data and account of user Facebook? [Yes|no] Yes
User Facebook was deleted.

$ sudo./sftpusers.sh Delete Facebook

User Facebook not exist.

$ id Facebook

Id:facebook:No such user

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.