sftp uses the ssh encrypted tunnel, which is more installable than ftp, and relies on the ssh service that comes with the system. Unlike ftp, it needs additional installation. The ssh-based sftp service has better security than ftp ( Non-plaintext account password transmission) and convenient rights management (restricting the user's active directory).
1. Open the sftp account, so that the user can only operate files through sftp, but not ssh to the server.
2. Limit the user's active directory, so that the user can only be active in the specified directory, using the ChrootDirectory configuration of sftp
Check the ssh version
ssh -V
Add user group sftp
groupadd sftp
create sftp user
useradd -g sftp -s /bin/false baksftp
-s /bin/false : Do not allow shell logins. -g sftp : Join the sftp group
set password
passwd baksftp
Set Active Directory
mkdir -p /data/sftp/baksftp
Configure Chroot directory permissions
# Note: If this directory is used for subsequent chroot active directory, the directory owner must be root chown root:sftp /data/sftp/baksftp chmod 755 /data/sftp/baksftp
Possible problems with chroot :
Because chroot will switch the root directory of the session to this, ssh login is likely to prompt /bin/bash: No such file or directory error, because the path of this session will be [chroot]/bin/bash
Specify as the home directory of the sftp group user
usermod -d /data/sftp/baksftp baksftp
Modify the ssh configuration file
vi /etc/ssh/sshd_config
Basic ssh remote login configuration
# Enable verification PasswordAuthentication yes # Disable empty password login PermitEmptyPasswords no # Enable remote login PermitRootLogin yes
Now you can use ssh to remotely log in to the server
Configure sftp
# Modify the Subsystem configuration, use the internal-sftp service that comes with the system to meet the requirements # Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp
Subsystem refers to the submodule of ssh; the sftp module is enabled here, and the internal-sftp that comes with the system is used to provide this service. In fact, after configuring this, you can log in with the account ssh or sftp with the ftp client.
If you want users to log in to the server only through sftp but not ssh, and to limit the user's active directory, continue to see the configuration below
# Restrictions on the login user Match Group sftp ChrootDirectory /data/sftp/%u # You can also use %h to represent the user's home directory %u to represent the user name ForceCommand internal-sftp # Forcibly use the internal-sftp service that comes with the system, so that the user Only use ftp mode to log in AllowTcpForwarding no X11Forwarding no
Match [User|Group] userName|groupName:
Match [User|Group] sftp Here is the permission configuration for the login user. Match will work on the matched user or user group and is higher than the general item configuration of ssh.
ChrootDirectory:
The user's active directory can use %h to identify the user's home directory and %u to represent the user name. When the matching user logs in, the root directory of the session will switch to this directory. Here are two issues to pay particular attention to:
1. For all directories on the chroot path, the owner must be root, and the maximum authority is 0755, which must be paid attention to. So if you log in as a non-root user, we need to create a new directory under chroot that the logged-in user has permission to operate.
2. Once chroot is set, the root directory "/" of the corresponding user's session will be switched to this directory when the corresponding user logs in. If you use ssh instead of sftp protocol to log in at this time, you will probably be prompted: /bin/bash : No such file or directory
For the user who logs in at this time, the root directory "/" in the session has been switched to the set chroot directory, unless the chroot is the "/" directory of the system, otherwise there will be no bash command under the chroot/bin at this time. Just like the -s /bin/false parameter set when adding a user, the initial command type /bin/false of the shell naturally cannot log in remotely through ssh.
ForceCommand:
The initial command to use when forcing a user to log into a session. If this item is configured as above, the matched user can only log in using the sftp protocol, but cannot log in using ssh, and will be prompted: This service allows sftp connections only.
Create a new upload directory
Create a new directory for stp user baksftp to upload files. The owner of this directory is baksftp, all groups are sftp, the owner has write permission, and all groups have no write permission.
mkdir /data/sftp/baksftp/upload chown baksftp:sftp /data/sftp/baksftp/upload chmod 755 /data/sftp/baksftp/upload
Restart the sshd service
# Close selinux setenforce 0 # Restart sshd service systemctl restart sshd.service
log in to sftp
sftp -P22 baksftp@IP