Detailed explanation of CentOS7 installation and configuration SFTP server
1. Introduction to SFTP
SSH file transfer protocol (English: SSH File Transfer Protocol , also known as Secret File Transfer Protocol , Chinese: Secure File Transfer Protocol, English: Secure FTP or abbreviation: SFTP ) is a data flow connection that provides file access, transfer and management Functional Network Transport Protocol
SFTP can provide a secure encryption method for transferring files. SFTP is a part of SSH and uses SSH encrypted tunnels. Since this transmission method uses encryption/decryption technology, it is more installable than FTP, so the transmission efficiency is higher than that of FTP. Ordinary FTP is much lower, if you have higher requirements for network security, you can use SFTP instead of FTP
SFTP has almost the same syntax and functions as FTP. SFTP itself is not independent. 守护进程It must use the sshd daemon (port number is 22 by default) to complete the corresponding connection and reply operations, so in a sense, SFTP does not like one 服务器程序, but more like a客户端程序
SFTP relies on the SSH service that comes with the system. Unlike FTP, which requires additional installation (vsftp service), SFTP only needs to ensure that your Linux account can be connected. The default connection account of SFTP is the Linux root account and password.
2. Turn off the firewall
In order to avoid unnecessary trouble, we first close the firewall and selinux, and then open the firewall and the corresponding port after the build is successful
[root@centos7 ~]# systemctl status firewalld.service # 查看防火墙状态
[root@centos7 ~]# systemctl stop firewalld.service # 停止防火墙服务
[root@centos7 ~]# systemctl disable firewalld.service # 关闭防火墙开启自启动
# 把文件中的SELINUX=enforcing 改为SELINUX=disabled
[root@centos7 ~]# vim /etc/selinux/config
[root@centos7 ~]# setenforce 0 # 使修改马上生效
3. Install SSH service
In CentOS7, sftp is only part of ssh, so use yum to install ssh service
Check if ssh is installed
# 如果没有返回任何结果,表示没有安装;如果返回文件包名,这表示已经安装了该服务;
[root@centos7 ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 # 代表已安装
[root@centos7 ~]# rpm -qa|grep openssh*
openssh-clients-7.4p1-22.el7_9.x86_64
openssh-7.4p1-22.el7_9.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
openssl-1.0.2k-25.el7_9.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-libs-1.0.2k-25.el7_9.x86_64
openssh-server-7.4p1-22.el7_9.x86_64 # 代表已安装
# 如果出现失败的情况,重新执行此命令即可
[root@centos7 ~]# yum remove -y openssh* # 卸载ssh服务
# 再次检查
[root@centos7 ~]# rpm -qa|grep openssh*
openssl-devel-1.0.2k-25.el7_9.x86_64
openssl-1.0.2k-25.el7_9.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-libs-1.0.2k-25.el7_9.x86_64
[root@centos7 ~]# rpm -qa openssh*
[root@centos7 ~]# ssh -V
bash: ssh: 未找到命令...
相似命令是::
'csh'
'sh'
[root@centos7 ~]#
Start installing ssh
- install ssh
# 如果已经安装,再次执行yum就会把软件包升级到最新版本
[root@centos7 ~]# yum install -y openssl* openssh*
# 或者使用以下命令安装
yum install -y openssl openssh-server
- Set to start the service automatically at boot
[root@centos7 ~]# systemctl enable sshd.service
- start ssh service
# ssh的服务名是sshd,相关的操作如下:
[root@centos7 ~]# systemctl start sshd.service # 启动服务
systemctl stop sshd.service # 停止服务
systemctl restart sshd.service # 重启服务
systemctl status sshd.service # 查看服务状态
systemctl enable sshd.service # 设置开机自启动sshd服务
systemctl disable sshd.service # 禁用开机自启动sshd服务
4. Create a new user and SFTP directory
sftpuser is the username you created for the sftp service, /data/sftp/sftpuser is the access path of the sftp server
- Create a new SFTP directory and authorize it
# 创建文件目录
mkdir -p /data/sftp/sftpuser
chown root:root /data/sftp/sftpuser
chmod 755 /data/sftp/sftpuser
- Create a new sftp group and user
# 新建用户组sftp
groupadd sftp
# 新建用户sftpuser,并且设置不支持ssh系统登录,只能登录sftp服务器
# -g 用户组; -d 指定家目录; -s 不能登陆系统; -M 不创建家目录
useradd -g sftp -d /data/sftp/sftpuser -M -s /sbin/nologin sftpuser
# 设置密码
# echo "新密码" | passwd --stdin 用户名
echo "sftppassword" | passwd --stdin sftpuser
- Create a new SFTP user-writable directory
# 由于/data/sftp/sftpuser的用户是root,其它用户都没有写的权限
# 所以要在该目录下新建一个目录用于文件的上传下载
mkdir -p /data/sftp/sftpuser/upload
chown sftpuser:sftp /data/sftp/sftpuser/upload
chmod 755 /data/sftp/sftpuser/upload
5. Configure SSH and SFTP servers
backup configuration file
# 防止后期配置文件出错后无法还原
[root@centos7 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
[root@centos7 ~]# cd /etc/ssh/
[root@centos7 ssh]# ll
......
-rw------- 1 root root 4084 8月 11 22:55 sshd_config
-rw------- 1 root root 4084 8月 15 10:22 sshd_config.back
......
Configure SSH
vim /etc/ssh/sshd_config
# 修改下面的内容,没有的内容直接新增即可
# 下面这几项的默认值也是它们,所以这一步可以跳过
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Configure SFTP
vim /etc/ssh/sshd_config
# 注释掉这行
# Subsystem sftp /usr/libexec/openssh/sftp-server
# 文件末尾添加以下内容
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp
# 下面两项是与安全有关
AllowTcpForwarding no
X11Forwarding no
6. Restart and configure the firewall
systemctl enable firewalld.service # 重启防火墙开机自启动
systemctl restart firewalld.service # 重启防火墙服务
firewall-cmd --version # 查看防火墙版本
firewall-cmd --list-all # 查看已开放的端口
firewall-cmd --permanent --zone=public --add-port=22/tcp # 开通sftp服务22默认端口
firewall-cmd --reload # 刷新防火墙,重新载入
# 关闭Selinux策略
setsebool -P ftpd_full_access on
sed -i s#enforcing#disabled#g /etc/sysconfig/selinux
setenforce 0 && getenforce
getenforce
7. Restart the SFTP service
systemctl restart sshd.service
So far, SFTP has actually been built successfully, and you can log in!
8. Access test
View IP address
ip addr
Notice:
- The ip address of the cloud server is
公网ip地址 - The ip address of the virtual machine is in NAT mode
固定ip地址, and the fixed ip is used in the figure below
Create a new test file
# 进入之前设置好的路径
[root@centos7 ~]# cd /data/sftp/sftpuser/upload
# 新建测试文件,然后保存退出
[root@centos7 upload]# vim 测试_20220712.txt
[root@centos7 upload]#
Terminal Access Test
- sftp command
[root@centos7 upload]# sftp sftpuser:[email protected]
sftpuser:[email protected]'s password: # 密码输入不显示,正常输入后直接按回车就行
Connected to 192.168.10.110.
sftp> pwd
Remote working directory: /
sftp> cd upload/
sftp> pwd
Remote working directory: /upload
sftp> lls
测试_20220712.txt
sftp> exit
Reference URL: