sftp限制通路目錄
1.需求
通過sftp登入的使用者限制在自己的家目錄下,日志登入日志開啟info級别。
2.參數解析
- sshd_config檔案
#Subsystem參數。從man sftp-server看到-l -f參數含義,自己去看下
Subsystem sftp internal-sftp -l INFO -f local5
#Match參數。此參數是條件比對
#從man sshd_config看到參數可提供字段如下,且Match字段比對的使用者,會被禁止使用ssh方式登入系統。
The available criteria are User, Group, Host,LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received).
#ChrootDirectory參數。有兩個限制條件
Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of
the pathname are root-owned direc‐tories which are not writable by any other user or group.
ChrootDirectory參數定義的目錄清單必須滿足:
1、目錄上級一直到頂級(這個測一下),屬主必須是root。
2、其它使用者或者組,不能有寫權限,表示檔案夾權限隻能是755(通常設定是755,比如655應該也是可以),是強制要求。
3.配置
3.1 單個使用者登入限制目錄
[root@node3 ~] # vi /etc/ssh/sshd_config #編輯檔案
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp -l INFO -f local5 #使用内部internal-sftp,并且INFO日志級别,指定設施代碼。開啟sftp日志還有其它操作步驟設定,我這裡就不寫了。
LogLevel INFO #info級别日志
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User shiliang #隻限制一個使用者
ChrootDirectory /home/%u #ChrootDirectory有兩個限制條件
ForceCommand internal-sftp
[root@node3 ~] # chown root.shiliang /home/shiliang
[root@node3 home] # ll -d /home
drwxr-xr-x. 7 root root 78 Apr 20 09:36 /home
[root@node3 home] # ll -d /home/shiliang
drwxr-xr-x. 3 root shiliang 128 Aug 9 2021 /home/shiliang
[root@node3 home] #chmod 755 /home/shiliang
測試
[root@harbor-host ~]# sftp [email protected] #測試限制的使用者
[email protected]'s password:
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> cd /home
Couldn't stat remote file: No such file or directory
[root@harbor-host ~]# sftp [email protected] #測試沒限制的使用者做對比
[email protected]'s password:
Connected to 10.36.113.198.
sftp> ls
sftp> pwd
Remote working directory: /home/shiliang2
sftp> ls
sftp> cd /home/
sftp> cd /
sftp> ls
aaa bin boot cunchu data datavolume3 dev etc home lib lib64 media mnt opt
proc root run sbin srv sys test1.db tmp usr var vol100
sftp>
3.2 多個使用者登入限制在特定目錄
[root@node3 ~] # vi /etc/ssh/sshd_config #編輯檔案
Match Group sftpgroup
ChrootDirectory /home/sftp/%u
ForceCommand internal-sftp
[root@node3 home] # groupadd sftpgroup
[root@node3 home] # chown root.sftpgroup /home/sftp/
[root@node3 home] # chmod 755 /home/sftp/
[root@node3 home] # ll -d /home/sftp/
drwxr-xr-x. 2 root sftpgroup 6 Apr 20 10:06 /home/sftp/
[root@node3 home] # usermod -G sftpgroup shiliang2
[root@node3 home] # id shiliang2
uid=1026(shiliang2) gid=1029(shiliang2) groups=1029(shiliang2),1030(sftpgroup)
[root@node3 home] # systemctl restart sshd
[root@node3 home] # mkdir /home/sftp/shiliang2
[root@node3 home] # cd /home/sftp/shiliang2/
[root@node3 shiliang2] # ls
[root@node3 shiliang2] # touch 1
[root@harbor-host ~]# sftp [email protected] #限制的組使用者測試
[email protected]'s password:
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> ls
sftp> ls
sftp> ls
1
[root@harbor-host ~]# sftp [email protected] #沒限制的使用者測試
[email protected]'s password:
Connected to 10.36.113.198.
sftp> ls
test-dir test1
sftp> pwd
Remote working directory: /home/shiliang
sftp> ls
test-dir test1
sftp> cd /home/
sftp> cd /
sftp> ls
aaa bin boot cunchu data datavolume3 dev etc home lib lib64 media mnt opt
proc root run sbin srv sys test1.db tmp usr var vol100
sftp>
3.3 總結
4.問題彙總
報錯:Starting sshd:/etc/ssh/sshd_config line 115: Directive 'Subsystem' is not allowed within a Match block
#答:根據提示報錯說是Subsystem不可以放在Match block裡面,是以我們把Match 字段相關内容寫到檔案最後即可。
packet_write_wait: Connection to 10.36.113.198 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
答:檢視日志 tail /var/log/messages發現是對應的目錄沒建立,如下
Apr 20 10:09:34 node3 sshd[12717]: fatal: safely_chroot: stat("/home/sftp/shiliang2"): No such file or directory