diff --git a/shell/sftp.sh b/shell/sftp.sh new file mode 100644 index 0000000..5fc132f --- /dev/null +++ b/shell/sftp.sh @@ -0,0 +1,82 @@ +#!/bin/bash +## sftp开账号 限制主目录脚本 + +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin +export PATH + +if [ $(whoami) != "root" ]; then + echo "***********************************************************************" + echo "Error: You must be root to run this script, please use root to run" + echo " **********************************************************************" + exit 1 +fi + +GROUPNAME="sftpchroot" +echo "***********************************************************************" +echo "The GroupName will chrootsftp into : [$GROUPNAME]. You can change it" +echo "***********************************************************************" + +if [ "$GROUPNAME" = `cat /etc/group | grep "$GROUPNAME" | awk -F: '{print $1}'` ]; then + echo "******************************************" + echo "The GroupName: $GROUPNAME exist already!" + echo "******************************************" + echo "The next will add user into $GROUPNAME!" + echo "******************************************" +else + groupadd $GROUPNAME + echo "**********************************************" + echo "This group [ $GROUPNAME ] add successfully!" + echo "**********************************************" + sed -i 's/Subsystem\tsftp\t\/usr\/libexec\/sftp-server/Subsystem\tsftp\tinternal-sftp/g' /etc/ssh/sshd_config + echo "Match Group $GROUPNAME" >> /etc/ssh/sshd_config + echo "ChrootDirectory %h" >> /etc/ssh/sshd_config + echo "ForceCommand internal-sftp" >> /etc/ssh/sshd_config + /etc/init.d/sshd condrestart +fi + +read -p "(Please input the UserName which into $GROUPNAME to be chrooted):" user +if [ "$user" = "" ]; then + echo "*****************************************************************" + echo "You must input UserName which will into $GROUPNAME to be chrooted!" + echo "*****************************************************************" + exit 2 +fi + +if [ ! -e /home/$user ]; then + echo "***************************" + echo "username=$user" + echo "***************************" + useradd -G $GROUPNAME $user + chown root:$user /home/$user + chmod 755 /home/$user + mkdir /home/$user/.ssh + chown $user:$user /home/$user/.ssh + chmod 700 /home/$user/.ssh + touch /home/$user/.ssh/authorized_keys + chown $user:$user /home/$user/.ssh/authorized_keys + chmod 600 /home/$user/.ssh/authorized_keys + echo "***************************" + echo Please set passwd for $ + echo "***************************" + passwd $user +else + echo "***************************" + echo "$user is exist already!" + echo "***************************" + read -p "Are you sure to chroot $user to $GROUPNAME ? [y or n]" y_or_n + if [ "$y_or_n" == 'y' ]; then + usermod -G $GROUPNAME $user + chown root:$user /home/$user + chmod 755 /home/$user + if [ ! -e /home/$user/.ssh ]; then + mkdir /home/$user/.ssh + fi + chown $user:$user /home/$user/.ssh + chmod 700 /home/$user/.ssh + if [ ! -f /home/$user/.ssh/authorized_keys ]; then + touch /home/$user/.ssh/authorized_keys + fi + chown $user:$user /home/$user/.ssh/authorized_keys + chmod 600 /home/$user/.ssh/authorized_keys + fi +fi