标签为 sftp 的文章

SFTP配置与用户管理脚本分享[原创]

公司需要建立一个FTP来管理客户的文件上传,为了安全性我们打算采用SFTP,并要求每个客户通过SSHKEY登陆。
或许你会说:“SFTP不需要配置啊,有SSH直接就可以用了”。的确,但是我们不希望用户能够通过SSH登陆到我们的服务器上,我们希望每个客户只能通过SFTP来管理自己的文件,同时我们还想统一的来管理所有客户的目录。有了这样的需求,默认的SSH配置就不能满足了。

下面,是SFTP的配置步骤,以及我编写的一个用户管理脚本:
1.修改SFTP相关配置
$ sudo vim /etc/ssh/sshd_config

# override default of no subsystems
#Subsystem	sftp	/usr/libexec/openssh/sftp-server
Subsystem	sftp	internal-sftp

Match Group sftpusers
        ChrootDirectory /home/sftp/%u
        ForceCommand internal-sftp

$ sudo /etc/init.d/sshd restart

2.创建用户管理脚本
$ sudo vim sftpusers.sh

#!/bin/bash
#
# Manage sftp users for customers
#  
# Author: Dong Guo
# Last Modified: 2013/09/06 by Dong Guo

userfile=/etc/passwd
groupfile=/etc/group
homedir=/home/sftp
loginshell=/sbin/nologin
groupname=sftpusers
username=$2

function check_root()
{
  if [ $EUID -ne 0 ]; then
    echo "This script must be run as root" 1>&2
    exit 1
  fi
}

function print_help(){
  #Print help messages then exit
  echo "Usage: $0 {create|disable|enable|passwd|sshkey|delete} {username}" >&2
  exit 1
}

function check_usergroup(){
  #Create usergroup if NOT exist
  cut -d : -f 1 $groupfile | grep -wq $groupname
  if [ $? -ne 0 ];then
    groupadd $groupname
  fi
}

function check_homedir(){
  #Create homedir if NOT exist
  if [ ! -d "$homedir" ];then
    mkdir $homedir
  fi
}

function check_username_exist(){
  #Check if user already exist
  cut -d : -f 1 $userfile | grep -wq $username
  if [ $? -eq 0 ];then
    echo "User $username ALREADY exist." && exit
  fi
}

function check_username_notexist() {
  #Check if user not exist
  cut -d : -f 1 $userfile | grep -wq $username
  if [ $? -ne 0 ];then
    echo "User $username NOT exist." && exit
  fi
}

function check_user_disabled(){
  #Check if user ALREADY disabled
  lockfile=$homedir/$username/sftpuser.locked
  if [ -a "$lockfile" ]; then
    echo "User $username ALREADY disabled." && exit
  fi
}

function update_sshkey(){
  #Get the sshkey
  echo -n "Input ssh public key: "
  read sshkey
  #Check if sshkey is empty
  if [ -z "$sshkey" ];then
    echo "Empty ssh public key." && exit
  fi
  #Check if sshkey not correct
  echo $sshkey | grep -Ewq '^ssh-rsa|^ssh-dss'
  if [ $? -ne 0 ];then
    echo "String \"ssh-rsa\" or \"ssh-dss\" NOT found." && exit
  fi
  mkdir $homedir/$username/.ssh
  chmod 700 $homedir/$username/.ssh
  echo "$sshkey" > $homedir/$username/.ssh/authorized_keys
  chmod 600 $homedir/$username/.ssh/authorized_keys
  chown -R $username:$groupname $homedir/$username/.ssh
}


if [ $# != 2 ];then
  print_help
fi

check_root
check_usergroup
check_homedir

case "$1" in
  'create')
    check_username_exist
    useradd -m -d "$homedir/$username" -g $groupname -s $loginshell -c "$username sftp" $username
    chmod 755 $homedir/$username
    chown $username:$groupname $homedir/$username
    if [ $? -eq 0 ]; then
      echo "User $username was created."
    fi
    ;;
   
  'disable')
    check_username_notexist
    passwd -l $username
    touch $homedir/$username/sftpuser.locked
    authfile=$homedir/$username/.ssh/authorized_keys
    if [ -a "$authfile" ]; then
      mv $authfile $authfile.disabled
    fi
    if [ $? -eq 0 ]; then
      echo "User $username was disabled."
    fi
    ;;
  
  'enable')
    check_username_notexist
    passwd -u $username
    rm -f $homedir/$username/sftpuser.locked
    authfile=$homedir/$username/.ssh/authorized_keys
    if [ -a "$authfile.disabled" ]; then
      mv $authfile.disabled $authfile
    fi
    if [ $? -eq 0 ]; then
      echo "User $username was enabled."
    fi
    ;;
   
  'delete')
    check_username_notexist
    echo -n "Delete all the data and account of user $username? [yes|no] "
    read yesorno
    if [ "$yesorno" == "yes" ];then
      userdel -rf $username
      if [ $? -eq 0 ]; then
        echo "User $username was deleted."
      fi
    fi
    ;;

  'passwd')
    check_username_notexist
    check_user_disabled
    passwd $username
    ;;
   
  'sshkey')
    check_username_notexist
    check_user_disabled
    update_sshkey
    if [ $? -eq 0 ]; then
      echo "The sshkey of user $username was updated."
    fi
    ;;
       
  *)
    print_help
    ;;
esac

$ sudo chmod +x sftpusers.sh

3.创建SFTP用户并测试
$ ./sftpusers.sh

Usage: ./sftpusers.sh {create|disable|enable|passwd|sshkey|delete} {username}

阅读全文 »

2 Comments