Activated SFTP Accounts

Table of Contents

This manual explains how you can run a SFTP server with passwords set by the users.

I’m running a little FTP server using the SFTP command provided by openSSH.
Because I don’t want to know the passwords of the users I’ve thought about a method to provide the user an interface so they can set the password of their account.

Warranty There is no warranty that this setup works for any system which provide the dependencies listed below. I'm just providing these information because it worked for me. If you have questions you can leave a message here but I decide whether I'll answer and help or not.

Features #

user has to activate his FTP account by setting his password
user can easily be deactivated
user can change his password after the account was reset

Requirements #

grep
SSH ;)

Installation #

create 2 groups:
```
groupadd ftpusers
groupadd preftpusers
```

grant users in group ftpusers only SFTP access by adding this to your /etc/ssh/sshd_config:

Match Group ftpusers
     AllowAgentForwarding no
     AllowTcpForwarding no
     ChrootDirectory %h
     ForceCommand internal-sftp
     MaxAuthTries 3
     MaxSessions 5
     PasswordAuthentication yes
     PermitRootLogin no
     PermitTunnel no
     X11Forwarding no

install daemon-script:

#!/bin/bash

SCRIPT="$(basename $0)"
FIFOFILE="/tmp/${SCRIPT}.fifo"
FTPGROUP="ftpusers"
PREFTPGROUP="preftpusers"

function cleanup ()
{
    rm -f ${FIFOFILE}
    trap - INT TERM EXIT
}
trap 'cleanup && exit 0' INT TERM EXIT
mkfifo -m 622 ${FIFOFILE} || exit 1
exec 30<> ${FIFOFILE}

while true
do
    while read <&30
    do
        user="${REPLY}"
        groups=( $(groups ${user} 2>/dev/null) )
        echo "$(date) ${user}"
        [[ -z "${groups[@]}" ]] && continue
        if ! grep -xFf <(printf '%s\n' ${groups[@]}) <(printf '%s\n' ${FTPGROUP[@]}) >/dev/null && grep -xFf <(printf '%s\n' ${groups[@]}) <(printf '%s\n' ${PREFTPGROUP[@]}) >/dev/null
        then
            usermod -g ${FTPGROUP} -s /bin/false ${user}
        fi
    done
done

install login-shell:

#!/bin/bash

passwd || exit 1
echo "${USER}" > /tmp/ftpusers.sh.fifo 2>/dev/null || exit 1

install init-script (for Arch Linux only)

#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions

PIDFILE="/var/run/ftpusers.sh.pid"
PID=$(pidof -o %PPID -x ftpusers.sh)
ck_pidfile ${PIDFILE} ftpusers.sh || rm -f ${PIDFILE}
case "$1" in
  start)
    stat_busy "Starting ftpserver"
    [ -z "$PID" ] && <scriptspath>/ftpusers.sh >>/var/log/ftpusers.sh.log 2>&1 &
    if [ $? -gt 0 ]; then
      stat_fail
    else
      add_daemon ftpserver
      stat_done
    fi
    ;;
  stop)
    stat_busy "Stopping ftpserver"
    [ ! -z "$PID" ]  && kill $PID &> /dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      rm_daemon ftpserver
      stat_done
    fi
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    echo "usage: $0 {start|stop|restart}"
esac
exit 0

Usage #

add User #

add user

useradd -s /path/to/ftpfirstlogin.sh -g preftpusers <username>
passwd <username>

start the daemon-script:
```
bash /path/to/ftpusers.sh
```
or if you want to use the init-script just run:
```
/etc/rc.d/ftpserver start
```
now tell the user the temporary password
the user has to login using SSH then he can set and his account will be activated

deactivate User #

Just remove the user from the group ftpusers.

reset password #

change password of the user
start daemon-script

move user from ftpusers to preftpusers:

usermod -g preftpusers -s /path/to/ftpfirstlogin.sh <username>

user again can set his password using SSH

How it works #

because of the config SSH allows members of ftpusers only to use SFTP commands
by setting login-shell to ftpfirstlogin.sh this script is run every time the user logs in
ftpfirstlogin.sh
1. runs passwd
2. send username to fifo of ftpusers.sh
ftpusers.sh:
1. creates a fifo and waits for input through it
2. each input is checked wheather it is a valid user
3. if the user is member of preftpusers the main group is set to ftpusers and the login shell is set to /bin/false