Shulou(Shulou.com)06/02 Report--

Ssh-based sftp services have better security (non-plaintext account password transmission) and convenient rights management (limiting users' active directories) than ftp.

1. Open a sftp account so that users can only sftp files, but not ssh to the server.

2. Limit the active directory of the user, so that the user can only be active in the specified directory, and use the ChrootDirectory configuration of sftp

Determine the version

# make sure that the version of ssh is higher than that of 4.8p1, otherwise an upgrade will generally be higher than this version

Ssh-V

New users and user groups

# add user Group sftp

Groupadd sftp

# add user specified home directory specified user group does not allow shell login

Useradd-d / home/sftp-m-g sftp-s / bin/false sftp

# set user password

Passwd sftp

Active directory

# set the active directory you want to limit

Mkdir-p / var/www/sftp

# configure permissions Note: if the active directory owner of this directory for subsequent chroot must be root, it must be!

Chown root.sftp / var/www/sftp

Basic ssh configuration

# configuration file of ssh service

Vi / etc/ssh/sshd_config

# basic ssh Telnet configuration

# enable verification

PasswordAuthentication yes

# disable login with empty password

PermitEmptyPasswords no

# enable remote login

PermitRootLogin yes

At this point, you can log in to the server remotely using ssh.

Configure sftp

# here we can meet the demand by using the internal-sftp service that comes with the system

# Subsystem sftp / usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp

Subsystem

Subsystem means that the sub-module of ssh enabled here is the sftp module. We use the internal-sftp that comes with the system to provide this service. In fact, when configured to this point, you can log in using either the account ssh or the ftp client sftp.

If you want the user to log in to the server only with sftp but not ssh, and to limit the user's active directory, continue to look at the following configuration

# restrictions on logged-in users

Match Group sftp

ChrootDirectory / var/www/sftp # can also use% h to represent the user's home directory% u for the user name

ForceCommand internal-sftp # enforces the use of the internal-sftp service that comes with the system so that users can only log in using ftp mode

AllowTcpForwarding no

X11Forwarding no

Match [User | Group] userName | groupName

Match [User | Group] sftp here is a generic configuration that limits the permissions of logged-in users. Match works on matched users or user groups and is higher than ssh.

The ChrootDirectory user's active directory can be identified by% h. The user's home directory% u represents the user name. When the Match matching user logs in, the root directory of the session will be switched to this directory. Here are two issues to pay special attention to.

1. For all directories on the chroot path, the owner must be root, with a maximum permission of 0755, which must be noted and met. So if you log in as a non-root user, we need to create a new directory under chroot where the logged in user has permission to operate.

2. Once chroot is set, the root directory of the session "/" is changed to this directory when the corresponding user logs in. If you log in using ssh instead of sftp protocol at this time, you will probably be prompted:

/ bin/bash: No such file or directory

This prompt is very correct. For users who log in at this time, the root directory "/" in the session has been changed to the chroot directory you set. Unless your chroot is the "/" directory of the system, there will be no bash command under chroot/bin at this time. This is similar to the-s / bin/false parameter set when adding users, and the initial imperative / bin/false of shell will naturally be unable to log in remotely.

ForceCommand initial command to force a user to log on to a session if this is configured above, the user to Match can only log in using the sftp protocol, and the user who cannot log in using ssh will be prompted

This service allows sftp connections only.

Complete configuration and restart the sshd service

Service sshd restart

Note:

1. Possible problems caused by chroot, because chroot will change the root directory of the session here, so ssh login is likely to prompt an error of / bin/bash: No such file or directory, because the path to this session will be chroot/bin/bash

2. ForceCommand is the initial command at the beginning of the session. If you specify something such as internal-sftp, it will prompt This service allows sftp connections only. This is just like the usermod-s / bin/false command, when the user logs in to the session, the / bin/bash command cannot be called, so ssh cannot log in to the server.

Summary

The above is the method of configuring ssh/sftp and permission setting under the linux operating system introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.