werdan/ssh_chroots

## ssh_chroots
#################################
#  Recipe that creates chrooted accounts for SFTP access
#  Should be installed via adding a corresponding role "has_sftp_user"
#  or if needed to install as a separate recipe, be sure that SSH server accepts logins with password
#
#  Once installed, you should add a section in node root attributes level , like that:
#
#  "ssh":{"chroots":{"import_csv":{"password":"$1$vtmvimM9$S5btvNNycEWa3KQAa.LqL1","folders":{"/var/www/shared/var":"upload"}}}}
#
#  where "folders" - is an array of folder to chroot for user import_csv
#  in folders array key is a source folder, value is a destination folder
#
#  Password is managed in hashed form.
#  You can create a hash of password with command:
#  echo "theplaintextpassword" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'
#
#  if you don't have makepasswd installed to the following:
#
#  sudo apt-get install makepasswd

# Example of node attributes, with multiple users and multiple folders
# "ssh":{"chroots":{
#					"import_csv":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/var/import":"upload", "/var/www/shared/var/export":"download"}},
#					"import_img":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/media/import":"upload"}}
#					}}
# Don't forget to enable password authentication with SSH
# Use has_sftp_users role
#


service "ssh"

if node[:ssh]['chroots']!= nil

case node['platform']
when "centos", "redhat", "fedora"
	pkgs = ["gcc", "gcc-c++", "kernel-devel"]
	pkgs.each do |pkg|
  	package pkg do
    action :install
  end
end
when "debian", "ubuntu"
    package "build-essential" do
      action :install
    end
end


	gem_package "ruby-shadow"

	ruby_block "require shadow library" do
  		block do
    		Gem.clear_paths  # <-- Necessary to ensure that the new library is found
    		require 'shadow' # <-- gem is 'ruby-shadow', but library is 'shadow'
  		end
	end

	group "sftp" do
	end


	ssh_config "Subsystem sftp" do
	  string "Subsystem sftp internal-sftp"
	end


	ssh_config "Match group sftp" do
	  string "Match group sftp\\n  X11Forwarding no\\n  ChrootDirectory %h\\n  AllowTcpForwarding no\\n  ForceCommand internal-sftp\\n"
	  action :add_multiline
	end

	node[:ssh]['chroots'].each do |userName, userInfo|
		user "#{userName}" do
			shell "/bin/false"
			gid "sftp"
			password "#{userInfo['password']}"
			home "/home/#{userName}"
		end

		## Actually there is a supports option, which should create home folder. But it has a bug in current version.
		## So have to create folder manually

		directory "/home/#{userName}" do
  			owner "root"
  			group "root"
  			mode "0755"
		end


		group "sftp" do
	  		action :modify
	  		members "#{userName}"
	  		append true
		end

		userInfo['folders'].each do |source, destination|
			if File.exists?("#{source}")

				directory "/home/#{userName}/#{destination}" do
  					owner "root"
  					group "root"
  					mode "0777"
  					action :create
				end

				mount "/home/#{userName}/#{destination}" do
					device "#{source}"
					action [:mount, :enable]
					options "rw,bind"
				end
			else
				abort("Folder #{source} does not exist - can not mount it to chrooted home of user #{userName}")
			end
		end
	end

case node['platform']
  when "redhat","centos","scientific","fedora","suse","amazon"
	service "sshd" do
		action :restart
	end
  when "debian","ubuntu"
	service "ssh" do
		action :restart
	end
end
end
	#################################
	# Recipe that creates chrooted accounts for SFTP access
	# Should be installed via adding a corresponding role "has_sftp_user"
	# or if needed to install as a separate recipe, be sure that SSH server accepts logins with password
	#
	# Once installed, you should add a section in node root attributes level , like that:
	#
	# "ssh":{"chroots":{"import_csv":{"password":"$1$vtmvimM9$S5btvNNycEWa3KQAa.LqL1","folders":{"/var/www/shared/var":"upload"}}}}
	#
	# where "folders" - is an array of folder to chroot for user import_csv
	# in folders array key is a source folder, value is a destination folder
	#
	# Password is managed in hashed form.
	# You can create a hash of password with command:
	# echo "theplaintextpassword" \| makepasswd --clearfrom=- --crypt-md5 \|awk '{ print $2 }'
	#
	# if you don't have makepasswd installed to the following:
	#
	# sudo apt-get install makepasswd

	# Example of node attributes, with multiple users and multiple folders
	# "ssh":{"chroots":{
	# "import_csv":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/var/import":"upload", "/var/www/shared/var/export":"download"}},
	# "import_img":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/media/import":"upload"}}
	# }}
	# Don't forget to enable password authentication with SSH
	# Use has_sftp_users role
	#


	service "ssh"

	if node[:ssh]['chroots']!= nil

	case node['platform']
	when "centos", "redhat", "fedora"
	pkgs = ["gcc", "gcc-c++", "kernel-devel"]
	pkgs.each do \|pkg\|
	package pkg do
	action :install
	end
	end
	when "debian", "ubuntu"
	package "build-essential" do
	action :install
	end
	end



	gem_package "ruby-shadow"

	ruby_block "require shadow library" do
	block do
	Gem.clear_paths # <-- Necessary to ensure that the new library is found
	require 'shadow' # <-- gem is 'ruby-shadow', but library is 'shadow'
	end
	end

	group "sftp" do
	end


	ssh_config "Subsystem sftp" do
	string "Subsystem sftp internal-sftp"
	end


	ssh_config "Match group sftp" do
	string "Match group sftp\\n X11Forwarding no\\n ChrootDirectory %h\\n AllowTcpForwarding no\\n ForceCommand internal-sftp\\n"
	action :add_multiline
	end

	node[:ssh]['chroots'].each do \|userName, userInfo\|
	user "#{userName}" do
	shell "/bin/false"
	gid "sftp"
	password "#{userInfo['password']}"
	home "/home/#{userName}"
	end

	## Actually there is a supports option, which should create home folder. But it has a bug in current version.
	## So have to create folder manually

	directory "/home/#{userName}" do
	owner "root"
	group "root"
	mode "0755"
	end


	group "sftp" do
	action :modify
	members "#{userName}"
	append true
	end

	userInfo['folders'].each do \|source, destination\|
	if File.exists?("#{source}")

	directory "/home/#{userName}/#{destination}" do
	owner "root"
	group "root"
	mode "0777"
	action :create
	end

	mount "/home/#{userName}/#{destination}" do
	device "#{source}"
	action [:mount, :enable]
	options "rw,bind"
	end
	else
	abort("Folder #{source} does not exist - can not mount it to chrooted home of user #{userName}")
	end
	end
	end

	case node['platform']
	when "redhat","centos","scientific","fedora","suse","amazon"
	service "sshd" do
	action :restart
	end
	when "debian","ubuntu"
	service "ssh" do
	action :restart
	end
	end
	end