Shulou(Shulou.com)06/01 Report--

This article is to share with you about how Linux restricts the content that a specified account cannot SSH and can only SFTP in a specified directory. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Overview

Since a server needs to restrict specified users and only allow access to the specified directory, this requirement should be common in many scenarios. Here is a solution.

The following limits the sftp user group to sftp connections to the specified directory (/ projects/tms_prod), and ssh connections are prompted to accept only sftp connections.

The specific process of the scheme is as follows:

1. Create users and directories:

Mkdir-p / projects/ groupadd sftp # New group useradd-g sftp-s / bin/false tms-d / projects/tms_prod # New user passwd tms chown root:sftp / projects/ # modify home directory user and group chmod 755 / projects/ # Home directory authorization mkdir-p / projects/tms_prod # create subdirectory chown tms:sftp / projects/tms_prod # modify user and group chmod 755 / projects/tms_prod # subdirectory authorization

two。 Configure sshd_config

Subsystem sftp internal-sftp # specifies to use sftp services to use the internal-sftp # Match User tms Match Group sftp ChrootDirectory / projects/ X11Forwarding no # included with the system to prohibit X11 from forwarding AllowTcpForwarding no # prohibit tcp from forwarding ForceCommand internal-sftp # specified sftp commands and cannot connect to ssh

Note:

The directory owner from the directory specified by ChrootDirectory all the way up to the root of the system can only be root.

The directory specified by ChrootDirectory cannot have group write permission all the way up to the root of the system.

3. Restart the ssh service:

Service sshd restart

4. Test verification

Add:

1. Subsystem sftp / usr/lib/openssh/sftp-server is more internal-sftp. What's the difference between the two?

To put it simply, the default sftp process is started by a separate binary: / usr/lib/openssh/sftp-server, while internal-sftp does not need an external binary to start an additional process, which is integrated into the sshd process.

The advantages of internal-sftp over / usr/lib/openssh/sftp-server are:

Good performance, no need for additional process.

Good security, no need for users to log in to shell, and you can use ChrootDirectory to restrict directories where sftp behavior is active

The existence of sftp-server is mainly backward compatibility.

2. ChrootDirectory directory

Generally, problems will occur on ChrootDirectory directory, where the directory cannot be configured directly to the target directory, but needs to be configured to its next level; that is, to chroot the C directory of / A/B/C, to be able to read and write to C, so the C directory cannot be ROOT directory, but chroot to B.

Thank you for reading! This is the end of the article on "how Linux restricts that a specified account cannot SSH only SFTP in a specified directory". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.