background
1. The specified user can only access through sftp, cannot log in through SSH, and lock it in a specific directory
2. Problems encountered:
Modifying the /etc/ssh/sshd_config configuration file and restarting sshd causes other users to log in and report an error: /bin/bash: No such file or directory
1. Create an SFTP user group
groupadd sftp
2. Create sftp user
useradd -d /home/was -m -s /bin/false -g sftp was
3. Set password
passwd was
4. Create the specified sftp directory
mkdir /sftp
5. Back up the ssh configuration file and modify it
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_back
vi /etc/ssh/sshd_config
1) Comment this line, add a new configuration
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
2) Open Notes
# Example of overriding settings on a per-user basis
#Match User was #指定单用户的话使用这个配置,是使用的是用户组
Match group sftp
X11Forwarding no #禁止X11转发
AllowTcpForwarding no #禁止tcp转发
# PermitTTY no
ForceCommand internal-sftp #指定sftp命令,不能ssh连接
ChrootDirectory /sftp #指定用户被锁定到的那个目录,为了能够chroot成功,该目录必须属主是root,并且其他用户或组不能写
Pay attention to the pit point : configure ChrootDirectory /sftp must be behind this Match group sftp configuration, otherwise after restarting sshd, all accounts will report an error: /bin/bash: No such file or directory
Generally, problems will occur in the ChrootDirectory directory. The user and user group of this directory must be root:root. Create a directory corresponding to the sftp account in this directory and give this user corresponding permissions.
like:
mkdir -p /sftp/was
chown was:sftp /sftp/was
chmod 755 /sftp/was
6. Restart the SSH service
service sshd restart
7. Verification
ssh login authentication
sftp login verification