borisisok/create_ssh_chroot_jail.sh

## create_ssh_chroot_jail.sh
#!/bin/bash

set -x

jailusr=$1
pfix=jail

jaildir=/home/${pfix}_${jailusr}
devdir=${jaildir}/dev
bindir=${jaildir}/bin
libdir=${jaildir}/lib64
etcdir=${jaildir}/etc
sshdir=${jaildir}/.ssh

CA=/root/ssh-ca
PW=$(cat ${CA}/pw)


create_chroothome() {
    if ! [[ -d "${jaildir}" ]]; then

        # /dev
        mkdir -p ${devdir}
        cd ${devdir}
        mknod -m 666 null c 1 3
        mknod -m 666 tty c 5 0
        mknod -m 666 zero c 1 5
        mknod -m 666 random c 1 8
        mknod -m 666 urandom c 1 8

        chown root:root ${jaildir}
        chmod 0755 ${jaildir}

        # /bin + /lib
        mkdir -p ${bindir}

        mkdir -p ${libdir}

        files=( '/bin/bash'
                '/bin/ssh'
                '/bin/scp'
                '/bin/id'
                '/bin/ls'
              )

        for bin in ${files[@]}; do
          cp -v $bin ${bindir}/
          for lib in $( ldd $bin | grep / | sed 's/^.*\///; s/ .*$//'); do
            cp -v /lib64/${lib} ${libdir}/
          done
        done

        cp -v  /lib64/libnss* ${libdir}/

        # /etc
        mkdir -p ${etcdir}

        grep ${jailusr} /etc/passwd | sed 's/:\/home\/.*:/:\/:/' > ${etcdir}/passwd
        grep ${jailusr} /etc/group > ${etcdir}/group

        echo "PS1='JAIL $ '" > ${etcdir}/profile
        echo 'PATH=/bin' >> ${etcdir}/profile

        echo "
passwd:     files
group:      files
        " > ${etcdir}/nsswitch.conf

        echo "
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
        " > ${etcdir}/hosts


        chmod 644 ${etcdir}/*
    fi
}


create_sshkey() {
    mkdir -p ${sshdir}

    if ! [[ -e ${sshdir}/id_rsa.pub ]]; then
           ssh-keygen -P "" -C "${jailusr}@$(hostname -s)" -f ${sshdir}/id_rsa
    fi
    chmod 700 ${sshdir}
    chown -R ${jailusr}.${jailusr} ${sshdir}

}


sign_sshkey() {
    ssh-keygen -P "$PW" -s ${CA}/users_ca -I ${jailusr} -n ${jailusr} -V +1d ${sshdir}/id_rsa.pub
    chown -R ${jailusr}.${jailusr} ${sshdir}
}


create_chroothome
create_sshkey
sign_sshkey

# done

## pw
CA_CERT_PASSPHRASE_GOES_HERE

## ssh_akc.sh
#!/bin/bash
(
echo "$@"
echo
env
echo
set
set -x
/sbin/create_ssh_chroot_jail.sh $1
) >> /var/log/akc.log

## ssh_apc.sh
#!/bin/bash
(
echo "$@"
echo
env
echo
set
set -x
) >> /var/log/apc.log

## sshd_config
AuthorizedKeysCommand /usr/sbin/ssh_akc.sh %u
AuthorizedKeysCommandUser root

#AuthorizedPrincipalsCommand /usr/sbin/ssh_apc.sh "%u" "%F" "%f" "%K" "%k" "%h" "%i" "%s" "%T" "%t"
#AuthorizedPrincipalsCommandUser root


Match User "!root,*"
ChrootDirectory /home/jail_%u
	#!/bin/bash

	set -x

	jailusr=$1
	pfix=jail

	jaildir=/home/${pfix}_${jailusr}
	devdir=${jaildir}/dev
	bindir=${jaildir}/bin
	libdir=${jaildir}/lib64
	etcdir=${jaildir}/etc
	sshdir=${jaildir}/.ssh

	CA=/root/ssh-ca
	PW=$(cat ${CA}/pw)



	create_chroothome() {
	if ! [[ -d "${jaildir}" ]]; then

	# /dev
	mkdir -p ${devdir}
	cd ${devdir}
	mknod -m 666 null c 1 3
	mknod -m 666 tty c 5 0
	mknod -m 666 zero c 1 5
	mknod -m 666 random c 1 8
	mknod -m 666 urandom c 1 8

	chown root:root ${jaildir}
	chmod 0755 ${jaildir}

	# /bin + /lib
	mkdir -p ${bindir}

	mkdir -p ${libdir}

	files=( '/bin/bash'
	'/bin/ssh'
	'/bin/scp'
	'/bin/id'
	'/bin/ls'
	)

	for bin in ${files[@]}; do
	cp -v $bin ${bindir}/
	for lib in $( ldd $bin \| grep / \| sed 's/^.\///; s/ .$//'); do
	cp -v /lib64/${lib} ${libdir}/
	done
	done

	cp -v /lib64/libnss* ${libdir}/

	# /etc
	mkdir -p ${etcdir}

	grep ${jailusr} /etc/passwd \| sed 's/:\/home\/.*:/:\/:/' > ${etcdir}/passwd
	grep ${jailusr} /etc/group > ${etcdir}/group

	echo "PS1='JAIL $ '" > ${etcdir}/profile
	echo 'PATH=/bin' >> ${etcdir}/profile

	echo "
	passwd: files
	group: files
	" > ${etcdir}/nsswitch.conf

	echo "
	127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
	::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
	" > ${etcdir}/hosts


	chmod 644 ${etcdir}/*
	fi
	}


	create_sshkey() {
	mkdir -p ${sshdir}

	if ! [[ -e ${sshdir}/id_rsa.pub ]]; then
	ssh-keygen -P "" -C "${jailusr}@$(hostname -s)" -f ${sshdir}/id_rsa
	fi
	chmod 700 ${sshdir}
	chown -R ${jailusr}.${jailusr} ${sshdir}

	}


	sign_sshkey() {
	ssh-keygen -P "$PW" -s ${CA}/users_ca -I ${jailusr} -n ${jailusr} -V +1d ${sshdir}/id_rsa.pub
	chown -R ${jailusr}.${jailusr} ${sshdir}
	}


	create_chroothome
	create_sshkey
	sign_sshkey

	# done
	#!/bin/bash
	(
	echo "$@"
	echo
	env
	echo
	set
	set -x
	/sbin/create_ssh_chroot_jail.sh $1
	) >> /var/log/akc.log
	AuthorizedKeysCommand /usr/sbin/ssh_akc.sh %u
	AuthorizedKeysCommandUser root

	#AuthorizedPrincipalsCommand /usr/sbin/ssh_apc.sh "%u" "%F" "%f" "%K" "%k" "%h" "%i" "%s" "%T" "%t"
	#AuthorizedPrincipalsCommandUser root


	Match User "!root,*"
	ChrootDirectory /home/jail_%u