kmddevdani/createChroot.sh

## createChroot.sh
#!/bin/bash

#
# This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance
#
# 2017-10-05
#

# change username and password here:
username="abc"
password="123456"

# create groups
groupadd sftp

# create chrooted user
useradd -m $username -G sftp
echo $username:$password | chpasswd

# enable password authentication in sshd
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot
cat /etc/ssh/sshd_config | sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config
mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config

# disable default sftp subsystem configuration in sshd
sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config

# add sftp subsystem configuration to sshd
echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
echo "Match Group sftp" >> /etc/ssh/sshd_config
echo "    ChrootDirectory %h" >> /etc/ssh/sshd_config
echo "    AllowTcpForwarding no" >> /etc/ssh/sshd_config

# restart ssh service
/etc/init.d/sshd restart

# create the chrooted directory structure
mkdir /home/$username/bin
mkdir /home/$username/dir
mkdir /home/$username/usr
mkdir /home/$username/usr/bin
mkdir /home/$username/usr/libexec
mkdir /home/$username/usr/libexec/openssh
mkdir /home/$username/lib/
mkdir /home/$username/etc
mkdir /home/$username/dev
mkdir /home/$username/dev/pts

# copy all dependencies
cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/$username
cp --parents `ldd /bin/ls | cut -d " " -f 3` /home/$username/
cp /usr/lib64/libnss3.so /home/$username/lib64/
cp /usr/lib64/libtic.so.5 /home/$username/lib64/
cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/
cp /usr/lib64/libssl3.so /home/$username/lib64/
cp /bin/bash /home/$username/bin/
cp /usr/bin/scp /home/$username/usr/bin/scp
cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/
cp /bin/ls /home/$username/bin/
cp /lib64/libnss* /home/$username/lib64/
cp /usr/lib64/libnss* /home/$username/usr/lib64/
cp --parents `find . -type f -exec ldd '{}' \; | awk '{print $3}' | sort | uniq | grep -v '('` /home/$username/
cp -vf /etc/{passwd,group} /home/$username/etc/
cp -r /etc/ld.so* /home/$username/etc/

# create non-files
mknod -m 666 /home/$username/dev/null c 1 3
mknod -m 666 /home/$username/dev/tty c 5 0
mknod -m 666 /home/$username/dev/zero c 1 5
mknod -m 666 /home/$username/dev/random c 1 8
mount --bind /dev/pts /home/$username/dev/pts

# get the directory permissions right
chown $username.$username /home/$username/. -R
chmod 0755 /home/$username/bin
chmod 0666 /home/$username/.bashrc
chown root.root /home/$username
chmod 0755 /home/$username
	#!/bin/bash

	#
	# This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance
	#
	# 2017-10-05
	#

	# change username and password here:
	username="abc"
	password="123456"

	# create groups
	groupadd sftp

	# create chrooted user
	useradd -m $username -G sftp
	echo $username:$password \| chpasswd

	# enable password authentication in sshd
	cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot
	cat /etc/ssh/sshd_config \| sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config
	mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config

	# disable default sftp subsystem configuration in sshd
	sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config

	# add sftp subsystem configuration to sshd
	echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
	echo "Match Group sftp" >> /etc/ssh/sshd_config
	echo " ChrootDirectory %h" >> /etc/ssh/sshd_config
	echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config

	# restart ssh service
	/etc/init.d/sshd restart

	# create the chrooted directory structure
	mkdir /home/$username/bin
	mkdir /home/$username/dir
	mkdir /home/$username/usr
	mkdir /home/$username/usr/bin
	mkdir /home/$username/usr/libexec
	mkdir /home/$username/usr/libexec/openssh
	mkdir /home/$username/lib/
	mkdir /home/$username/etc
	mkdir /home/$username/dev
	mkdir /home/$username/dev/pts

	# copy all dependencies
	cp --parents `ldd /bin/bash \| cut -d " " -f 3` /home/$username
	cp --parents `ldd /usr/bin/scp \| cut -d " " -f 3` /home/$username
	cp --parents `ldd /usr/libexec/openssh/sftp-server \| cut -d " " -f 3` /home/$username
	cp --parents `ldd /bin/ls \| cut -d " " -f 3` /home/$username/
	cp /usr/lib64/libnss3.so /home/$username/lib64/
	cp /usr/lib64/libtic.so.5 /home/$username/lib64/
	cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/
	cp /usr/lib64/libssl3.so /home/$username/lib64/
	cp /bin/bash /home/$username/bin/
	cp /usr/bin/scp /home/$username/usr/bin/scp
	cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/
	cp /bin/ls /home/$username/bin/
	cp /lib64/libnss* /home/$username/lib64/
	cp /usr/lib64/libnss* /home/$username/usr/lib64/
	cp --parents `find . -type f -exec ldd '{}' \; \| awk '{print $3}' \| sort \| uniq \| grep -v '('` /home/$username/
	cp -vf /etc/{passwd,group} /home/$username/etc/
	cp -r /etc/ld.so* /home/$username/etc/

	# create non-files
	mknod -m 666 /home/$username/dev/null c 1 3
	mknod -m 666 /home/$username/dev/tty c 5 0
	mknod -m 666 /home/$username/dev/zero c 1 5
	mknod -m 666 /home/$username/dev/random c 1 8
	mount --bind /dev/pts /home/$username/dev/pts

	# get the directory permissions right
	chown $username.$username /home/$username/. -R
	chmod 0755 /home/$username/bin
	chmod 0666 /home/$username/.bashrc
	chown root.root /home/$username
	chmod 0755 /home/$username