1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#!/bin/bash
set -e
publish_home=/mnt/publish
# Append content to a file if grep test fails
function add_if_absent() {
file=$1
exists_regexp=$2
to_add=$3
if grep -q -E "$exists_regexp" "$file"; then
echo "Warning $file matched $exists_regexp, adding new content skipped"
return
fi
echo "$to_add" >>$file
}
# Comment out (#) a line if it matches regexp
function comment_if_present() {
file=$1
regexp=$2
awk "\
/$regexp/ {print \"#\" \$0; next; }
{ print }
" $file > $file.tmp
mv $file.tmp $file
}
function setup_accounts() {
mkdir -p $publish_home
groupadd publish || true
useradd \
--comment "Publishing - transfer user" \
--home $publish_home \
--gid publish \
-M \
--no-user-group \
publish-copy || true
useradd \
--comment "Publishing - finalization user" \
--home $publish_home \
--gid publish \
-M \
--no-user-group \
publish-trigger || true
# Home dir must be owned by root for ssh ChrootDirectory to work
chown root.root $publish_home
chmod 755 $publish_home
# Actual uploads will happen to this dir
mkdir -p $publish_home/uploads
# publish-copy should have write access there, publish-trigger
# generally only read (cleanup can be handled by cronjob)
chown publish-copy.publish $publish_home/uploads
chmod 755 $publish_home/uploads
}
function setup_sshd_config() {
sshd_config=/etc/ssh/sshd_config
# sshd_config=sshd_config
if [ ! -f $sshd_config.before-new-pub ]; then
# Capture pristine config for rollback
cp $sshd_config $sshd_config.before-new-pub
fi
add_if_absent $sshd_config "^AuthorizedKeysFile /etc/ssh/user-authorized-keys/%u" "\
AuthorizedKeysFile /etc/ssh/user-authorized-keys/%u
AuthorizedKeysFile2 /dev/null"
comment_if_present $sshd_config "^Subsystem sftp"
add_if_absent $sshd_config "^Subsystem sftp internal-sftp" "Subsystem sftp internal-sftp"
add_if_absent $sshd_config "^Match User publish-copy" "\
Match User publish-copy
ChrootDirectory $publish_home
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
"
}
function setup_ssh_keys() {
mkdir -p /etc/ssh/user-authorized-keys/
# Move only real file, don't do this for symlink
if [ ! -L $HOME/.ssh/authorized_keys ]; then
echo "Moving current account's authorized_keys to /etc/ssh/user-authorized-keys/"
cp $HOME/.ssh/authorized_keys /etc/ssh/user-authorized-keys/$SUDO_USER
rm $HOME/.ssh/authorized_keys
ln -s /etc/ssh/user-authorized-keys/$SUDO_USER $HOME/.ssh/authorized_keys
fi
# Unlike when reside in ~/.ssh/, in /etc/ssh/... auth keys must be readable enough,
# or won't be picked up by sshd => login lockout.
chmod 644 /etc/ssh/user-authorized-keys/$SUDO_USER
mkdir -p ~/snapshots-sync3
if [ ! -f ~/snapshots-sync3/publish-copy ]; then
ssh-keygen -t rsa -N "" -f ~/snapshots-sync3/publish-copy
fi
if [ ! -f ~/snapshots-sync3/publish-trigger ]; then
ssh-keygen -t rsa -N "" -f ~/snapshots-sync3/publish-trigger
fi
echo -n 'command="/usr/lib/sftp-server",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ' \
>/etc/ssh/user-authorized-keys/publish-copy
pubkey=$(cat ~/snapshots-sync3/publish-copy.pub)
add_if_absent /etc/ssh/user-authorized-keys/publish-copy "^$pubkey" "$pubkey"
echo -n 'command="/home/ubuntu/new-publish/utils/new-publish/trigger ${SSH_ORIGINAL_COMMAND#* }",no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ' \
>/etc/ssh/user-authorized-keys/publish-trigger
pubkey=$(cat ~/snapshots-sync3/publish-trigger.pub)
add_if_absent /etc/ssh/user-authorized-keys/publish-trigger "^$pubkey" "$pubkey"
}
setup_accounts
# Setup new ssh keys structure first, or there's a chance of SSH lock-out
setup_ssh_keys
setup_sshd_config
|
