Created
November 25, 2023 00:58
-
-
Save idkrn123/c443f5536b3cdac2da2e93ad5dbbcbf5 to your computer and use it in GitHub Desktop.
stupid internal script i use on certain machines to provision them more quickly to my liking (securely-configured sftp for `~/Pictures/Screenshots` dir only)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# ask for input with default | |
ask() { | |
local prompt default reply | |
prompt="$1" | |
default="$2" | |
while true; do | |
read -p "$prompt [$default]: " reply | |
reply="${reply:-$default}" | |
if [ -n "$reply" ]; then | |
echo "$reply" | |
return | |
fi | |
done | |
} | |
# defaults | |
default_sftp_user="$(whoami)-sftp" | |
default_sftp_group="$(whoami)-sftpusers" | |
default_sftp_directory="$HOME/Pictures/Screenshots" | |
default_main_user="$(whoami)" | |
# asks | |
sftp_user=$(ask "Enter the SFTP user name (default: $default_sftp_user)" $default_sftp_user) | |
sftp_group=$(ask "Enter the SFTP group name (default: $default_sftp_group)" $default_sftp_group) | |
sftp_directory=$(ask "Enter the directory for screenshots (default: $default_sftp_directory)" $default_sftp_directory) | |
main_user=$(ask "Enter your main user name (default: $default_main_user)" $default_main_user) | |
client_ssh_key=$(ask "Enter the SSH key of the client (leave blank if you want to skip this bit)" "") | |
# create sftp user | |
sudo useradd -m -d /home/$sftp_user -s /bin/false $sftp_user | |
sudo mkdir -p /home/$sftp_user/.ssh | |
sudo chmod 700 /home/$sftp_user/.ssh | |
# add keys w/ restrictions if specified | |
if [ -n "$client_ssh_key" ]; then | |
echo "command=\"internal-sftp\",no-agent-forwarding,no-X11-forwarding,no-port-forwarding $client_ssh_key" | sudo tee /home/$sftp_user/.ssh/authorized_keys > /dev/null | |
sudo chmod 600 /home/$sftp_user/.ssh/authorized_keys | |
sudo chown -R $sftp_user:$sftp_user /home/$sftp_user/.ssh | |
fi | |
# create group | |
sudo groupadd $sftp_group | |
sudo usermod -a -G $sftp_group $sftp_user | |
sudo usermod -a -G $sftp_group $main_user | |
# set perms on sftp directory | |
sudo chown root:$sftp_group $sftp_directory | |
sudo chmod 770 $sftp_directory | |
# insurance policy incase i'm not as good at text manipulation as i thought | |
sshd_config="/etc/ssh/sshd_config" | |
sshd_config_bak="${sshd_config}.bak" | |
sudo cp $sshd_config $sshd_config_bak | |
# "scalpel..." | |
# we are looking for "Subsystem sftp internal-sftp" in the ssh config | |
if ! grep -q "^Subsystem sftp internal-sftp" $sshd_config; then | |
echo "Subsystem sftp internal-sftp" | sudo tee -a $sshd_config > /dev/null | |
fi | |
# this is one way of jailing the user | |
match_block="Match Group $sftp_group | |
ChrootDirectory $sftp_directory | |
ForceCommand internal-sftp | |
AllowTCPForwarding no | |
X11Forwarding no | |
PermitTunnel no" | |
# insert/update match block | |
if grep -q "^Match Group $sftp_group" $sshd_config; then | |
# match block exists, update carefully | |
awk -v match_block="$match_block" ' | |
/^Match Group '"$sftp_group"'/ { | |
print match_block; skip=1; next | |
} | |
/^Match / && skip { skip=0 } | |
!skip | |
' $sshd_config_bak | sudo tee $sshd_config > /dev/null | |
else | |
# match block doesn't exist, "bonesaw..." | |
echo "$match_block" | sudo tee -a $sshd_config > /dev/null | |
fi | |
read -p "Would you like to restart sshd now? [y/N]: " restart_sshd | |
init_system="" | |
restart_command="" | |
# detecting the init system | |
if [ -f "/bin/systemctl" ]; then | |
init_system="systemd" | |
restart_command="sudo systemctl restart sshd" | |
elif [ -f "/sbin/initctl" ]; then | |
init_system="upstart" | |
restart_command="sudo initctl restart ssh" | |
elif [ -f "/sbin/rc-service" ]; then | |
init_system="openrc" | |
restart_command="sudo rc-service sshd restart" | |
elif [ -f "/sbin/service" ]; then | |
init_system="sysvinit" | |
restart_command="sudo service sshd restart" | |
elif [ -f "/sbin/runit" ]; then | |
init_system="runit" | |
restart_command="sudo sv restart sshd" | |
else | |
# we'll be frank with the user because that's the only way to be sometimes | |
echo "Init system not identified. You will need to restart the SSH service manually." | |
fi | |
# restart sshd based on user input and init system | |
if [[ "$restart_sshd" =~ ^[Yy]$ ]]; then | |
if [ -n "$restart_command" ]; then | |
eval $restart_command | |
else | |
echo "Unable to restart SSH service automatically. My bad, got your hopes up and everything." | |
# lol | |
fi | |
else | |
if [ -n "$restart_command" ]; then | |
echo "You chose not to restart SSHD now. Cool, but you'll need to restart it manually later unless you know something I don't." | |
fi | |
fi | |
echo "SFTP user setup complete. User: $sftp_user, Directory: $sftp_directory" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment