Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure the SFTP service environment under Linux". In the daily operation, I believe that many people have doubts about how to configure the SFTP service environment under Linux. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to configure the SFTP service environment under Linux". Next, please follow the editor to study!

SFTP

Sftp is the abbreviation of Secure File Transfer Protocol, secure file transfer protocol. It can provide a secure encryption method for transferring files. Sftp and ftp have almost the same syntax and function. SFTP is part of SSH and is a secure way to transfer files to a Blogger server. In fact, the SSH package already contains a secure file transfer subsystem called SFTP (Secure File Transfer Protocol). SFTP itself does not have a separate daemon, it must use the sshd daemon (the port number is 22 by default) to complete the corresponding connection operation, so in a sense, SFTP is not like a server program, but more like a client program. SFTP also uses encryption to transmit authentication information and transmitted data, so using SFTP is very secure. However, because this mode of transmission uses encryption / decryption technology, the transmission efficiency is much lower than ordinary FTP, if you have higher requirements for network security, you can use SFTP instead of FTP.

The difference between PS:FTP and SFTP

FTP is a file transfer protocol. On the website, if you want to share files with people, the easiest way is to upload the files to the FTP server, and others can download the required files through the FTP client program.

FTP file transfer needs to be done through the port. The general required ports are:

1. Control link-TCP port 21. Controller side. Used to send instructions to the server and wait for the server to respond.

two。 Data link-TCP port 20. Data transfer port. Used to establish a data transmission channel. It is mainly used to send a file from the client to the server, a file from the server to the client, and a file or directory list from the server to the client.

In order to adapt to different network environments, FTP supports active connection and passive connection. Both modes are mainly for the data link and have nothing to do with the control link.

Security risks of FTP:

First, FTP server software loopholes.

Second, plaintext password.

Third, FTP flag.

Fourth, port scanning is carried out through the FTP server.

Fifth, data hijacking.

FTP's security policy:

First, use more secure systems and FTP service software.

Second, use ciphertext to transmit username and password.

Third, change the flag of the service software.

Fourth, strengthen the security of the protocol.

Configure the SFTP environment for non-SSH users

SFTP, which stands for Secure File Transfer Protocol, is a secure file transfer protocol. It can provide a secure encryption method for transferring files. Almost the same grammatical function as ftp.

Step: 1 create a group

The code is as follows:

[root@localhost ~] # groupadd sftp_users

Step: 2 assign sftp_users to the user

If the user does not exist on the system, create it with the following command (LCTT): a shell that cannot be logged in is assigned to the user to prevent login through ssh:

The code is as follows:

[root@localhost] # useradd-G sftp_users-s / sbin/nologin jack

[root@localhost ~] # passwd jack

For existing users, use the following usermod command to modify:

The code is as follows:

[root@localhost] # usermod-G sftp_users-s / sbin/nologin jack

Note: if you want to change the user's default home directory, you can use the'- d 'option in the useradd and usermod commands and set the appropriate permissions.

Step: 3 now edit the configuration file "/ etc/ssh/sshd_config"

The code is as follows:

# vi / etc/ssh/sshd_config

# comment out the below line and add a line like below

# Subsystem sftp / usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp

# add Below lines at the end of file

Match Group sftp_users

X11Forwarding no

AllowTcpForwarding no

ChrootDirectory h

ForceCommand internal-sftp

Here:

Match Group sftp_users-this parameter specifies that the following lines will only match users in the sftp_users group

ChrootDirectory% h-this parameter specifies the path to be used for the chroot environment after user authentication (the default user home directory). For the user Jack, the path is / home/jack.

ForceCommand internal-sftp-this parameter enforces the internal sftp and ignores any commands in the ~ / .ssh / rc file.

Restart the ssh service

The code is as follows:

# service sshd restart

Step 4: set permissions:

The code is as follows:

[root@localhost ~] # chmod 755 / home/jack

[root@localhost ~] # chown root / home/jack

[root@localhost] # chgrp-R sftp_users / home/jack

If you want to allow jack users to upload files, create an upload folder with the following permissions:

The code is as follows:

[root@localhost jack] # mkdir / home/jack/upload

[root@localhost jack] # chown jack. / home/jack upload/

Step: 5 now try to access the system and test

Try to access the system through ssh

As shown in the following figure, user jack logs in through SFTP, and because the chroot environment cannot change directories.

Now do upload and download tests, as shown below:

As shown in the figure above, jack users' upload and download functions work well.

At this point, the study on "how to configure the SFTP service environment under Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.