Created
March 27, 2013 16:12
-
-
Save werdan/5255517 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################# | |
# Recipe that creates chrooted accounts for SFTP access | |
# Should be installed via adding a corresponding role "has_sftp_user" | |
# or if needed to install as a separate recipe, be sure that SSH server accepts logins with password | |
# | |
# Once installed, you should add a section in node root attributes level , like that: | |
# | |
# "ssh":{"chroots":{"import_csv":{"password":"$1$vtmvimM9$S5btvNNycEWa3KQAa.LqL1","folders":{"/var/www/shared/var":"upload"}}}} | |
# | |
# where "folders" - is an array of folder to chroot for user import_csv | |
# in folders array key is a source folder, value is a destination folder | |
# | |
# Password is managed in hashed form. | |
# You can create a hash of password with command: | |
# echo "theplaintextpassword" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }' | |
# | |
# if you don't have makepasswd installed to the following: | |
# | |
# sudo apt-get install makepasswd | |
# Example of node attributes, with multiple users and multiple folders | |
# "ssh":{"chroots":{ | |
# "import_csv":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/var/import":"upload", "/var/www/shared/var/export":"download"}}, | |
# "import_img":{"password":"$1$AUR7lpRA$.7tM6s5dlrOXZvbSXOD9x0","folders":{"/var/www/shared/media/import":"upload"}} | |
# }} | |
# Don't forget to enable password authentication with SSH | |
# Use has_sftp_users role | |
# | |
service "ssh" | |
if node[:ssh]['chroots']!= nil | |
case node['platform'] | |
when "centos", "redhat", "fedora" | |
pkgs = ["gcc", "gcc-c++", "kernel-devel"] | |
pkgs.each do |pkg| | |
package pkg do | |
action :install | |
end | |
end | |
when "debian", "ubuntu" | |
package "build-essential" do | |
action :install | |
end | |
end | |
gem_package "ruby-shadow" | |
ruby_block "require shadow library" do | |
block do | |
Gem.clear_paths # <-- Necessary to ensure that the new library is found | |
require 'shadow' # <-- gem is 'ruby-shadow', but library is 'shadow' | |
end | |
end | |
group "sftp" do | |
end | |
ssh_config "Subsystem sftp" do | |
string "Subsystem sftp internal-sftp" | |
end | |
ssh_config "Match group sftp" do | |
string "Match group sftp\\n X11Forwarding no\\n ChrootDirectory %h\\n AllowTcpForwarding no\\n ForceCommand internal-sftp\\n" | |
action :add_multiline | |
end | |
node[:ssh]['chroots'].each do |userName, userInfo| | |
user "#{userName}" do | |
shell "/bin/false" | |
gid "sftp" | |
password "#{userInfo['password']}" | |
home "/home/#{userName}" | |
end | |
## Actually there is a supports option, which should create home folder. But it has a bug in current version. | |
## So have to create folder manually | |
directory "/home/#{userName}" do | |
owner "root" | |
group "root" | |
mode "0755" | |
end | |
group "sftp" do | |
action :modify | |
members "#{userName}" | |
append true | |
end | |
userInfo['folders'].each do |source, destination| | |
if File.exists?("#{source}") | |
directory "/home/#{userName}/#{destination}" do | |
owner "root" | |
group "root" | |
mode "0777" | |
action :create | |
end | |
mount "/home/#{userName}/#{destination}" do | |
device "#{source}" | |
action [:mount, :enable] | |
options "rw,bind" | |
end | |
else | |
abort("Folder #{source} does not exist - can not mount it to chrooted home of user #{userName}") | |
end | |
end | |
end | |
case node['platform'] | |
when "redhat","centos","scientific","fedora","suse","amazon" | |
service "sshd" do | |
action :restart | |
end | |
when "debian","ubuntu" | |
service "ssh" do | |
action :restart | |
end | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment