文档章节

搭建SFTP服务器(不允许SSH)

goodlook
 goodlook
发布于 2017/09/11 00:18
字数 912
阅读 15
收藏 0

1. Create a New Group

Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

2. Create Users (or Modify Existing User)

Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).

# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser

Verify that the user got created properly.

# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin

If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:

# usermod -g sftpusers -d /incoming -s /sbin/nologin john

On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.

3. Setup sftp-server Subsystem in sshd_config

You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).

Modify the the /etc/ssh/sshd_config file and comment out the following line:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Next, add the following line to the /etc/ssh/sshd_config file

Subsystem       sftp    internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

4. Specify Chroot Directory for a Group

You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

# tail /etc/ssh/sshd_config
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp

In the above:

  • Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
  • ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
  • ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

5. Create sftp Home Directory

Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).

# mkdir /sftp

Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.

# mkdir /sftp/guestuser

So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.

So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/guestuser/incoming

6. Setup Appropriate Permission

For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the owenership to the user, and group to the sftpusers group as shown below.

# chown guestuser:sftpusers /sftp/guestuser/incoming

The permission will look like the following for the incoming directory.

# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming

The permission will look like the following for the /sftp/guestuser directory

# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser

# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp

7. Restart sshd and Test Chroot SFTP

Restart sshd:

# service sshd restart

Test chroot sftp environment. As you see below, when gusetuser does sftp, and does “cd /”, they’ll only see incoming directory.

# sftp guestuser@thegeekstuff.com
guestuser@thegeekstuff's password:

sftp> pwd
Remote working directory: /incoming

sftp> cd /
sftp> ls
incoming

When guestuser transfers any files to the /incoming directory from the sftp, they’ll be really located under /sftp/guestuser/incoming directory on the system.

Note: If you have encountered below error: 
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

Make sure the chroot directory (/sftp/guestuser) has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

Use the following command:

chown root:root /sftp/guestuser

 

 

Implement Logging

 

1. Make syslog available in the chroot

Create a dev directory in each user’s chrooted directory:

# mkdir /sftp/guestuser/dev

The folder permission should be rwxr-xr-x.

 

2. Configure rsyslog to probe the new logging source

Put the following contents in /etc/rsyslog.conf :

# Create an additional socket for the sshd chrooted users.

$AddUnixListenSocket /sftp/guestuser/dev/log

 

3. Configure OpenSSH for logging

Modify the following contents in /etc/ssh/sshd_config:

Match Group sftpusers

ChrootDirectory /sftp/%u

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp -f LOCAL7 -l INFO

 

4. Restart sshd and rsyslog Service

# service sshd restart

# service rsyslog restart

 

5. Verify file log

Log in to the SFTP server using comfort account

Verify log in /var/log/secure

本文转载自:http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

共有 人打赏支持
goodlook
粉丝 2
博文 32
码字总数 13095
作品 0
杭州
CentOS安装SFTP

服务器以centOS为例. 首先为什么要搭建sftp?答案:允许某些用户上传及下载文件,但是这些用户只能使用sftp传送文件,不能使用SSH终端访问服务器,而且sftp不能访问系统文件 创建sftp组 添加一个...

eatnothing
2016/12/01
27
0
Ubuntu Server如何配置SFTP(建立用户监狱)

SSH File Transfer Protocol是一个比普通FTP更为安全的文件传输协议。(参考资料:http://en.wikipedia.org/wiki/SSHFileTransfer_Protocol)它工作在Secure Shell(SSH)上,确保文件被加密...

BearCatYN
2015/08/25
0
0
Linux命令之sftp - 安全文件传输命令行工具

用途说明 sftp命令可以通过ssh来上传和下载文件,是常用的文件传输工具,它的使用方式与ftp类似,但它使用ssh作为底层传输协议,所以安全性比ftp要好得多。 常用方式 格式:sftp 通过sftp连接...

898009427
2017/12/14
0
0
Ubuntu14.04创建ftp服务器

在Ubuntu 14.04 上安装 FTP 服务 第一步>>更新库 第二步>>采用如下命令安装VSFTPD的包 第三步>>安装完成后打开 /etc/vsftpd.conf 文件,按如下所述修改。 取消如下行的注释(行号为29和33) ...

楠木楠
2016/12/20
13
0
SFTP服务器搭建

今天公司业务部门说要测试一款产品,需要FTP服务器,本来想给他们使用pure-ftp,但是他们指定要SFTP服务器。 我从来都没搭建过,正好借此机会部署测试一下 SFTP访问会使用本地系统账号,而非...

myexam
2017/03/26
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

谷歌 Fuchsia 上手体验,将取代Android/win10

在手机市场领域,Google表现很抢眼,毫无疑问,Android 至今在移动操作系统的市场份额占据绝对领先地位,但是 Android 仍然存在不少问题,碎片化问题严重,在平板以及大屏幕设备上表现糟糕,...

linux-tao
2分钟前
0
0
List、Array与ArrayList

数组在内存中是连续存储的,所以它的索引速度很快,而且赋值和修改元素也非常快,比如: string[] s=new string[3];//赋值 s[0]="a"; s[1]="b"; s[2]="c";//修改 s[1]="b1"; 但是数组...

shimmerkaiye
4分钟前
0
0
Linux 的Lnmp环境下为mysql添加环境变量

一.问题 在Linux 安装完Lnmp 环境后 , 连接Mysql 告诉没有这条命令 mysql -uroot -p 命令失效 因为是源码安装的,所以会出现这样的的原因 。集成环境是不会出现的。 其实很简单,只需要给m...

15834278076
6分钟前
0
0
apolloxlua include函数

include函数不是单独使用的函数, 他并不是标准库的一部分, 你可以使用include函数将某个后缀为 .aop的文档包含到你的文档流中。 因为include是单独处理流, 所以不会在主处理流程中有所表示...

钟元OSS
10分钟前
0
0
【转载分享】做一名较真的工程师

近些年与我共事过的同事,一定知道我至今仍有一个较真的性格。我会:指出同事所写代码的不当命名问题(并帮助改进);指出同事所写文档中的逻辑混乱问题(并辅以修订);指出同事所写PPT中乱...

HellerZhang
11分钟前
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

返回顶部
顶部