Why use sftp instead of ftp?
sftp is a securely encrypted file transfer protocol using the ssh protocol. In many cases, ftp uses clear text transmission, which is relatively easy to be captured and poses security risks.
Statement of needs
1. Use sftp instead of ftp for file storage, lock the directory, and do not allow users to switch to unauthorized directories.
2. The sftp user is not allowed to log in to the server via ssh to perform operations.
3. The sftp user logs in using the key
How to achieve this?
1. Create the sftpuser user group and root directory
# 创建一个sftpuser用户组
groupadd sftpuser
# 查看用户组
groups sftpuser
# 此目录及上级目录的所有者必须为root,权限不高于755,此目录的组最好设定为sftpuser
mkdir /data/sftpuser
chown -R root:sftpuser /data/sftpuser
chmod -R 0755 /data/sftpuser2. Modify sshd_config configuration
#备份配置文件
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
#修改端口为2222
sed -i 's/#Port 22$/Port 2222/' /etc/ssh/sshd_config
# 修改如下的配置,没有的就添加
vim /etc/ssh/sshd_config
# 注释这行
# Subsystem sftp /usr/libexec/openssh/sftp-server
Protocol 2
# 密码认证方式
PasswordAuthentication yes
# 密钥认证方式
PubkeyAuthentication yes
RSAAuthentication yes
Subsystem sftp internal-sftp -l info -f auth
Match group sftpuser
Chrootdirectory /data/sftpuser/%u
Allowtcpforwarding no
X11Forwarding no
Forcecommand internal-sftp -l info -f auth# All users in the user group sftpuser can use the sftp service; after connecting using the sftp service, the accessible directory is /data/sftpuser/username
3. Usage examples
# for example
# test is a user of the sftpuser group. After it connects to the server through sftp, it can only see the contents of the /data/sftpuser/test directory.
# test2 is also a user of the sftpuser group. After it connects to the server through sftp, it can only see the contents of the /data/sftpuser/test2 directory.
1) Create users and directories
The owner of the test directory must be root, the group is preferably set to sftp, and the permissions are no higher than 755.
# 创建一个目录并授权
mkdir /data/sftpuser/test
chmod 0755 /data/sftpuser/test
chown root:sftpuser /data/sftpuser/test
# 添加用户,参数-s /sbin/nologin禁止用户通过命令行登录
useradd -g sftpuser -s /sbin/nologin test 2) Create key
# 在用户家目录下创建.ssh目录
mkdir /home/test/.ssh
# root用户生成公钥 私钥 直接回车即可
ssh-keygen -t rsa
# 拷贝公钥到用户家目录下
cp /root/.ssh/id_rsa.pub /home/test/.ssh/authorized_keys
# 给目录授权
chown -R test.sftpuser /home/test3) Create a writable upload directory in the test directory
# 创建目录upload
mkdir /data/sftpuser/test/upload
# 给目录授权
chown -R test:sftpuser /data/sftpuser/test/uploadNote: The owner of the root directory of the sftp service must be root, and the permissions cannot exceed 755 (the upper-level directory must also follow this rule). The owner of the sftp user directory must also be root, and the highest permissions cannot exceed 755.
4) Test verification
# 重启sshd服务
systemctl restart sshd
# sftp命令行本机测试,用私钥免密登陆
sftp -oPort=2222 -oIdentityFile=~/.ssh/id_rsa [email protected]
# 在其他机器上使用私钥登陆,需要将私钥文件下载,权限600