1. Steps
1. Create a new user
adduser sftpuser1
The difference between useradd and adduser
useradd only adds a user, does not create its home directory, and has nothing other than adding a new user. This user cannot even log in because there is no password. So choose adduser here.
2. Set the user password
passwd sftpuser1
After pressing Enter, enter the password again.
3. Modify the user's home directory
usermod -d /data/wwwroot/user1/ sftpuser1
In this way, every time a user accesses the server, /data/wwwroot/user1/ will be opened by default, but you can still jump out of this to access other directories, and you need to perform the next step.
4. Set sshd_config:
Open the sshd_config file
vi /etc/ssh/sshd_config
Find the line Subsystem sftp and modify it to:
Subsystem sftp internal-sftp
UsePAM yes
Match user sftpuser1
ForceCommand internal-sftp
ChrootDirectory /data/wwwroot/user1/
Replace sftpuser1 and /data/wwwroot/user1/ above with what you need.
For multiple users, please configure these three lines repeatedly:
Match user sftpuser2
ForceCommand internal-sftp
ChrootDirectory /data/wwwroot/user2/
In this way, different restricted directories can be set for different users.
5. Restart the sshd service:
./etc/init.d/sshd restart
Now use the SFTP software to log in as the sftpuser1 user, and you can find that the directory has been restricted and locked at /data/wwwroot/user1/.
Two, possible problems
1. Restart sshd after modifying the sshd_config file, an error is reported: Directive'UseDNS' is not allowed within a Match block
Syntax error, the reason is unknown, only need to intermodulate the positions of the two sections of configuration, and no error will be reported.
before fixing:
1.Subsystem sftp internal-sftp
2.UsePAM yes
3.Match user sftpuser1
4.ForceCommand internal-sftp
5.ChrootDirectory /data/wwwroot/user1/
6.
7.UseDNS no
8.AddressFamily inet
9.PermitRootLogin yes
10.SyslogFacility AUTHPRIV
11.PasswordAuthentication yes
After modification:
1.UseDNS no
2.AddressFamily inet
3.PermitRootLogin yes
4.SyslogFacility AUTHPRIV
5.PasswordAuthentication yes
6.
7.Subsystem sftp internal-sftp
8.UsePAM yes
9.Match user sftpuser1
10.ForceCommand internal-sftp
11.ChrootDirectory /data/wwwroot/user1/
Note: When you get this error, sftp is definitely not connected. If you are used to using FileZilla to modify configuration files, then you have to switch to the shell reluctantly and use vi/vim to modify it.
2. When a new user accesses through sftp, the permissions are incomplete and can only read but not write
I tried to use the root account to change the user's home directory permissions to 777, but the user sftp cannot log in. (Error: Server unexpectedly closed network connection)
Google googled the reasons as follows:
There are two main points for the permission setting of the new user's home directory:
1. The owner of the directory specified by ChrootDirectory from the beginning to the system root directory can only be root
2. The directory specified by ChrootDirectory is not allowed to have group write permissions (maximum permissions 755) from the beginning to the system root directory.
If the above two requirements are violated, there will be situations where new users cannot access sftp.
Therefore, the owner of /data/wwwroot/user1/ and all higher-level directories must be root, and group permissions and public permissions cannot have write permissions. If you must have write permissions, they can be in /data/wwwroot/user1/ Create a folder with 777 permissions under.
1.mkdir /data/wwwroot/user1/upload
2.chown -R sftpuser1:root /data/wwwroot/user1/upload
In this way, the sftpuser1 user can freely read and write files in /data/wwwroot/user1/upload.
3. If the restricted directory set by the ChrootDirectory attribute in sshd_config is inconsistent with the user's home directory path, the path opened by default after connecting to sftp is the restricted directory.