Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to create sftp users and restrict directory permissions in Linux. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

1. Create a user sftpuser and disable ssh login without creating a home directory

Useradd-s / sbin/nologin-M sftpuser

2. Set the user password

Passwd sftpuser

3. Create the sftp root directory, where all sftp users will be active. (if you will not add new users in the future, you can skip this directory)

Mkdir / home/sftp

4. Set directory permissions. There are two key points for setting directory permissions:

The owner of a directory that starts all the way up to the root of the system can only be root.

You cannot have group write permission from the directory up to the root of the system.

Chown root:root / home/sftp

Chmod 755 / home/sftp Note: the maximum permission of this directory is 755. If you set it to 777, you will get an error. This is also one of the things that bothers me.

5. Create the sftpuser root directory of the user, and the directory name is user name.

Cd / home/sftp

Mkdir sftpuser

6. Set sftpuser directory permissions

Chown root:sftpuser / home/sftp/sftpuser

(note: set the user sftpuser. If the owner is root, it means that the directory sftpuser does not have read and write permissions. Create other directories under this directory and grant read and write permissions to sftpuser users.

If you need to have read and write permissions to the directory, set the permissions: chown sftpuser:sftpuser / home/sftp/sftpuser)

Chmod 755 / home/sftp/sftpuser Note: the sftpuser permission of the directory here can only be 755, otherwise the directory cannot be restricted.

7. Configure sshd_config

Vi / etc/ssh/sshd_config

8. Modify the following and save the exit

# comment out this line

# Subsystem sftp / usr/libexec/openssh/sftp-server

Add this line:

Subsystem sftp internal-sftp # specifies that the sftp service is used to use the internal-sftp that comes with the system. If you do not add it, the user cannot log in through sftp.

# add at the end of the configuration file

Match User sftpuser# matches users. If you want to match multiple groups, separate them with commas.

ChrootDirectory / home/sftp/%u # will specify the user's root directory with chroot. The meaning of chroot: http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/

# the% u here refers to the account name, and / home/sftp/%u means: / home/sftp/sftpuser

ForceCommand internal-sftp # specify sftp command

Add the two lines X11Forwarding no # if you don't want the user to use port forwarding, otherwise delete them.

AllowTcpForwarding no

9. Restart the sshd server

Systemctl restart sshd.service

# query sshd startup status command:

Systemctl status sshd.service

10. Sftpuser user login test:

Sftp-oPort=22 sftpuser@127.0.0.1

At this point, sftp has finished creating users and modifying permissions to restrict the root directory.

During the user login test, you may encounter the following error:

Couldn't read packet: Connection reset by peer

This is how to create sftp users and restrict directory permissions in the Linux shared by Xiaobian. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.