1 Introduction
sftp encryption method can be provided a secure network to transfer files. sftp and ftp has almost the same syntax and functionality. SFTP SSH is a part, is a secure way to transfer files to Blogger's servers. In fact, SSH package already contains a called SFTP (Secure File Transfer Protocol) file security information transmission subsystem, SFTP does not have a separate daemon, it must use sshd daemon (default port number is 22) complete responses and respective connecting operation, so in a sense, the SFTP not as a server program, but rather is a client program. SFTP is also using encrypted authentication information transmission and transmission of data, so it is very safe to use SFTP. However, since this transmission using the encryption / decryption technology, the transmission efficiency than regular FTP is much lower, if you are higher requirements for network security, you can use SFTP instead of FTP.
2, set up SFTP preparation
OS: CentOS / RHEL 6.7
Openssh version 4.8 or more
Objective: To achieve one or more users can only access one or more directories. (User kunlun have rwx access to the directory A and B, User kunlunsun have rwx permissions to the directory C and B)
#ssh -V # View openssh version
3. Create user and group management
#groupadd sftp
#useradd -g sftp -s / bin / false kunlun # / bin / false no login shell, can only use sftp login
#passwd kunlun
#useradd -g sftp -s /bin/false kunlunsun
#passwd kunlunsun
Create a group (for directory management and authorized user group)
#groupadd A
#groupadd B
#groupadd C
4, create a directory you want to access
#mkdir -p /Data/SFTP/A/
#mkdir -p /Data/SFTP/B/
#mkdir -p /Data/WEB/C/
5. Configure the SFTP server
Note: Due to the above mentioned relationship sftp and ssh, so we do the following.
# Vim / etc / ssh / sshd_config # into the configuration file
#Subsystem sftp /usr/libexec/openssh/sftp-server #注释掉
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory /Data/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
NOTE: ChrootDirectory / Data / owner directory (refer to User) and is a group (Group group) must both root.
You can view owner (user) and group (group) by getfacl / Data
6, the user is added to the "Directory" to access the group
#usermod -a -GA kunlun # will be added to the user group to access the directory
#usermod -a -G B kunlun
#usermod -a -G B kunlunsun
#usermod -a -G C kunlunsun
7, modify the directory owner and group
==============User kunlun的授权=========
#chgrp A A/
#chmod 770 A/
#chmod g+w A/
#chown kunlun:A A/
#chgrp B B/
#chmod 770 B/
#chmod g+w B/
#chown kunlun:B B/
==============User kunlunsun授权=========
#chgrp C C/
#chmod 770 C/
#chmod g+w C/
#chown kunlunsun:C C/
NOTE: Since B has already been done to the directory through authorized user so that only need to be added to the directory kunlunsun group B to (operation group was added at the completion of step 6)
See directory by getfacl B / or A / directory owner and group permissions
Pro-test: After the above operation, the user will have the appropriate directory permissions rwx
another:
By setfacl authorized, tested no effect.
This approach can also be personal feeling easier, to welcome you to a lot of testing, there is an easier way to welcome comments, questions have also made comments, see will be the first time reply.