Centos创建用户通过SFTP访问指定目录及权限设置的方法
环境准备:两台Linux服务
系统版本:centos7.6
IP:192.168.0.4 sftp 用户
IP:192.168.0.3 验证服务
1.查看openssh软件版本,想sftp服务用户只能访问特定的文件目录,版本需要4.8以上
[root@Slave tools]# rpm -qa | grep openssh
openssh-server-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
You have new mail in /var/spool/mail/root
[root@Slave tools]#
2.新增用户,限制用户只能通过sftp访问
[root@Slave tools]# useradd -m -d /opt/ftp/dave -s /sbin/nologin dave
useradd: cannot create directory /opt/ftp/dave
[root@Slave tools]# mkdir -p /opt/ftp/dave
You have new mail in /var/spool/mail/root
[root@Slave tools]# cd /opt/ftp/
[root@Slave ftp]# ll
total 0
drwxr-xr-x 2 root root 6 Dec 16 02:36 dave
3.用户设置密码
[root@Slave tools]# passwd dave
Changing password for user dave.
New password: 123789
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 123789
passwd: all authentication tokens updated successfully.
You have new mail in /var/spool/mail/root
[root@Slave tools]#
4.限制用户通过sftp登录进来时只能进入主目录,修改/etc/ssh/sshd_config文件
[root@Slave tools]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_202012161522.bak
[root@Slave tools]# vi /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User dave
ChrootDirectory /opt/ftp/dave
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
5.重启ssh
[root@Slave tools]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
You have new mail in /var/spool/mail/root
[root@Slave tools]#
4.测试访问 IP:192.168.0.3
[root@Master tools]# sftp -oPort=22 dave@192.168.0.4
dave@192.168.0.4's password:
packet_write_wait: Connection to 192.168.0.4 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
[root@Master tools]#
发现连接不上,查看日志
[root@Slave tools]# tail /var/log/messages
Dec 16 02:25:30 Slave systemd: Started OpenSSH server daemon.
Dec 16 02:25:53 Slave kubelet: W1216 02:25:53.090332 3421 conversion.go:110] Could not get instant cpu stats: cumulative stats decrease
Dec 16 02:29:33 Slave systemd: Starting Cleanup of Temporary Directories...
Dec 16 02:29:33 Slave systemd: Started Cleanup of Temporary Directories.
Dec 16 02:30:01 Slave systemd: Started Session 6 of user root.
Dec 16 02:32:00 Slave systemd: Created slice User Slice of dave.
Dec 16 02:32:00 Slave systemd: Started Session 7 of user dave.
Dec 16 02:32:00 Slave systemd-logind: New session 7 of user dave.
Dec 16 02:32:00 Slave systemd-logind: Removed session 7.
Dec 16 02:32:00 Slave systemd: Removed slice User Slice of dave.
[root@Slave tools]#
解决方法:
目录权限设置上要遵循2点:
ChrootDirectory设置的目录权限及其所有的上级文件夹权限,属主和属组必须是root;
ChrootDirectory设置的目录权限及其所有的上级文件夹权限,只有属主能拥有写权限,权限最大设置只能是755。
如果不能遵循以上2点,即使是该目录仅属于某个用户,也可能会影响到所有的SFTP用户。
[root@Slave tools]# cd /opt/ftp/
[root@Slave ftp]# ll
total 0
drwxr-xr-x 2 root root 6 Dec 16 02:36 dave
[root@Slave ftp]# chown root:root dave
[root@Slave ftp]# chmod 755 dave
[root@Slave ftp]# ll
total 0
drwxr-xr-x 2 root root 6 Dec 16 02:36 dave
然后在测试通过 IP:192.168.0.3
[root@Master tools]# sftp -oPort=22 dave@192.168.0.4
dave@192.168.0.4's password:
Connected to 192.168.0.4.
sftp> ls
sftp> cd ..
sftp> ls
sftp>
IP:192.168.0.4
创建目录、文本
[root@Slave test]# cd /opt/ftp/dave/
[root@Slave dave]# mkdir test
[root@Slave dave]# cd test/
[root@Slave test]# ll
total 0
[root@Slave test]# touch 1.txt
IP:192.168.0.3
测试查看:
[root@Master tools]# sftp -oPort=22 dave@192.168.0.4
dave@192.168.0.4's password:
Connected to 192.168.0.4.
sftp> ls
test
sftp> cd test/
sftp> ls
1.txt
sftp>
