First, the experimental background
First, based on an online server of confidentiality and security, developers do not want to log online server, because too many permissions to the login server is difficult to control, such as modifying the code, system configuration, hoping to limit the developer ssh login machine, but by ftp / sftp upload code files.
Second, some of the modules in the project will be called sftp client, upload files to the server, the relevant functions, we need to build a good sftp server.
Two, sftp Intro
It is an abbreviation of Secure FileTransferProtocol sftp, secure file transfer protocol that provides a secure encryption for the transmission of files.
1) sftp and ftp has almost the same syntax and functionality
2) SFTP SSH as part of a file transfer to the server in a secure manner
3) SFTP does not have a separate daemon, it must use sshd daemon (default port number 22) to complete the corresponding connection operation
4) SFTP security is very high
5) SSH security software already includes SFTP file transfer subsystem
Third, the experimental environment
Operating System: CentOS7.5 Mininal
IP : 192.168.1.103
Four, sft software installation
# yum -y install openssh-server openssh-clients
# ssh -V
Compared to traditional FTP server, SFTP even more convenience, safety, general system after the install ssh, this service is installed by default on our configurations simply click on it.
Note: openssh-server version was at least 4.8p1, because the new configuration item configuration rights ChrootDirectory version added to complete.
5, configuration sftp
SFTP account is based on the SSH account (that is, the operating system account), and great access to the server by default, and how to limit SFTP account as relevant as FTP access to it?
1. We need to create a user group dedicated to sftp user
# groupadd sftp
2. Create a user test, attached to the sftp group is not allowed to log operating system
# useradd -G sftp -s /bin/false test
# passwd --stdin test <<< "Test@123"
3. 编辑配SSH置文件
注释掉 Subsystem sftp /usr/libexec/openssh/sftp-server 行 ,添加一行 Subsystem sftp internal-sftp
注:如果这行文字存在且没有被注释掉,那么SFTP已经开启,所有可使用ssh的用户都可使用SFTP,但是这种方式有一个缺陷,就是用户在SFTP软件里面可以cd / 从而看到系统所有文件。
为什么实用 internal-sftp 而不用默认的 sftp-server?
因为这是一个进程内的 sftp 服务,当用户 ChrootDirectory 的时候,将不请求任何文件,且有更好的性能,不用为 sftp 再开一个进程。
# vim /etc/ssh/sshd_config
################################################
Subsystem sftp internal-sftp
Match Group sftp
chrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
#################################################
相关配置说明:
########################################################
# 匹配用户组,如果要匹配多个组,多个组之间用逗号分割
Match Group sftp
# 指定登陆用户到自己的用户目录 %为相应的家目录 %u为相应的用户名
ChrootDirectory %h
# 指定 sftp 命令
ForceCommand internal-sftp
#是否允许用户能使用端口转发
X11Forwarding no
AllowTcpForwarding no
##########################################################
4.修改test用户home文件夹的权限,让其属于root用户
# chown root:test /home/test
# chmod 750 /home/test
请确保sftp用户根目录的所有人是root, 权限是 750 或者 755。
注意以下两点原则:
4.1 chrootDirectory目录开始一直往上到系统根目录为止的目录拥有者都只能是 root,用户组可以不是 root。
4.2 chrootDirectory目录开始一直往上到系统根目录为止都不可以具有群组写入权限
chrootDirectory目录和所有上游目录属主只能是root,并且不能由任何其他用户写入,否则你将在日志中看到错误报错"chroot目录的错误所有权或模式"。
sftp使用chroot指定根目录后,根应是无法写入的,所以要在chrootDirectory目录下新建一个目录如upload,供test用户上传文件,这个目录所有者为test,所有组为sftp,所有者有写入权限,而所有组无写入权限,权限为700、750或者755。
如果 chrootDirectory/upload 权限为700、750或者755,那么只能是 test用户上传文件,如果其他用户属于sftp组,要使其也有上传权限,目录权限需设置为770。
# mkdir /home/test/upload
# chown test:sftp /home/test/upload
# chmod 750 /home/test/upload
根据上面例子,如果我们想要指定其他的 ChrootDirectory,操作就变得简单了!
我们以 ChrootDirectory 是/opt/sftp/chroot为例
# vim /etc/ssh/sshd_config
####################################
Subsystem sftp internal-sftp
Match Group sftp
chrootDirectory /opt/sftp/chroot
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
####################################
# mkdir -p /opt/sftp/chroot
# mkdir -p /opt/sftp/chroot/upload
# chown root:test /opt/sftp/chroot
# chown test:sftp /opt/sftp/chroot/upload
# chmod 750 /opt/sftp/chroot
# chmod 700 /opt/sftp/chroot/upload
5. 重启sshd服务
# systemctl restart sshd
# systemctl status sshd
六、登录和文件上传测试
测试登录
➤ ssh [email protected]
文件上传测试
直接上传到 ChrootDirectory,权限不足
上传文件到 ChrootDirectory/upload目录下,成功
从服务端验证文件上传,关注一下属主属组,为test
# sftp [email protected]
七、参考
Linux(CentOS)上配置 SFTP
https://segmentfault.com/a/1190000008578734
关于设置sftp 指定端口
http://www.voidcn.com/article/p-gmgqtfrv-ze.html
SFTP+OpenSSH+ChrootDirectory 设置详解
https://blog.zengrong.net/post/1616.html
OpenSSH的SFTP服务器设置
https://caibaoz.com/blog/2013/04/27/sftp_config_for_openssh/#sftp_config_for_openssh_2.1
Linux 配置SFTP,配置用户访问权限
https://blog.csdn.net/yanzhenjie1003/article/details/70184221
Linux Centos 6.6搭建SFTP服务器
https://blog.csdn.net/xinxin19881112/article/details/46831311
sftp的安装配置
https://blog.51cto.com/cmdschool/1771670
如何配置linux用户实现禁止ssh登陆机器但可用sftp登录
https://blog.csdn.net/qq_35440678/article/details/52788808
配置linux用户实现禁止ssh登陆但可用sftp登录
https://blog.51cto.com/moerjinrong/2149837
Linux下ssh/sftp配置和权限设置
https://my.oschina.net/sallency/blog/784022
OpenSSH: Difference between internal-sftp and sftp-server
https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server
Secure chroot() remote file access via SFTP and SSH
https://blog.famzah.net/2011/02/03/secure-chroot-remote-file-access-via-sftp-and-ssh
什么是 AWS Transfer for SFTP?
https://docs.aws.amazon.com/zh_cn/transfer/latest/userguide/what-is-aws-transfer-for-sftp.html
sublime text3 安装、配置sftp插件
https://blog.csdn.net/pheona1990/article/details/52092799