[root@iZ23ak12ta7Z ~]# groupadd sftp_users --创建专属用户组
[root@iZ23ak12ta7Z ~]# useradd -G sftp_users -s /sbin/Nologin sftp_user --创建sftp用户,限制ssh登录,分配归属组
[root@iZ23ak12ta7Z ~]# passwd sftp_user --修改密码
Changing password for user sftp_user.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@iZ23ak12ta7Z ~]# cd /var/run
[root@iZ23ak12ta7Z run]# more sshd.pid --查看ssh的守护进程
3727
[root@iZ23ak12ta7Z run]# more ntpd.pid
1603
[root@iZ23ak12ta7Z run]# cd /etc/init.d/
[root@iZ23ak12ta7Z init.d]# vi /etc/ssh/sftpod_config --新建sftp配置文件
Port 9022 --分配端口 Protocol 2 AddressFamily inet SyslogFacility AUTHPRIV LogLevel INFO PermitRootLogin no RSAAuthentication no PubkeyAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication yes PermitEmptyPasswoRDS no ChallengeresponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no UsePAM no PidFile /var/run/sftpod.pid ChrootDirectory %h --登录后限制在根目录 or ChrootDirectory /alidata/sftpFinance/%u Subsystem sftp internal-sftp
[root@iZ23ak12ta7Z init.d]# touch /var/run/sftpod.pid
[root@iZ23ak12ta7Z init.d]# vi /var/run/sftpod.pid
[root@iZ23ak12ta7Z init.d]# vi /etc/init.d/sftpod
#!/bin/bash # # chkconfig: 35 60 25 # description: OpenSSH chrooted sftp only daemon # # Note that /usr/sbin/sftpod is simply a symlink to /usr/sbin/sshd; # You are going to need to CREATE that symlink before using this script. # pidfile='/var/run/sftpod.pid' case "${1}" in start ) exec -a /usr/sbin/sftpod /usr/sbin/sshd -f /etc/ssh/sftpod_config ;; stop ) kill -9 $(cat ${pidfile}) ;; restart) ${0} stop sleep 3 ${0} start ;; * ) echo "Usage: ${0} (start|stop|restart)" ;; esac exit 0
[root@iZ23ak12ta7Z init.d]# chkconfig --list
sshd 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭 syslog 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭 sysstat 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭 vsftpd 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 winbind 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 xfs 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭
[root@iZ23ak12ta7Z init.d]# chkconfig --add sftpod
[root@iZ23ak12ta7Z init.d]# /etc/init.d/sftpod start
[root@iZ23ak12ta7Z init.d]# ps aux | grep sftpod
root 4519 0.0 0.0 62632 1148 ? Ss 10:56 0:00 /usr/sbin/sftpod -f /etc/ssh/sftpod_config
root 4523 0.0 0.0 63432 796 pts/1 S+ 10:56 0:00 grep sftpod
[root@iZ23ak12ta7Z init.d]# chkconfig --list
rawdevices 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 rDISC 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 restorecond 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 rpcgssd 0:关闭1:关闭2:关闭3:启用4:启用5:启用6:关闭 rpcidmapd 0:关闭1:关闭2:关闭3:启用4:启用5:启用6:关闭 rpcsvcgssd 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭 sftpod 0:关闭1:关闭2:关闭3:启用4:关闭5:启用6:关闭 smb 0:关闭1:关闭2:关闭3:关闭4:关闭5:关闭6:关闭
[root@iZ23ak12ta7Z init.d]# service sftpod start
[root@iZ23ak12ta7Z init.d]# ps aux | grep sftpod
root 4834 0.0 0.0 62632 1148 ? Ss 11:04 0:00 /usr/sbin/sftpod -f /etc/ssh/sftpod_config root 4846 0.0 0.0 63432 796 pts/1 S+ 11:04 0:00 grep sftpod
[root@iZ23ak12ta7Z init.d]# more /etc/passwd | grep sftp_user
sftp_user:x:508:510::/xxxx/xxxx/xxxx:/sbin/nologin
[root@iZ23ak12ta7Z init.d]
场景问题及解决办法
[root@iZ23am9cwvgZ sftpFinance]# mount -t nfs -o rw 10.174.107.216:/alidata/sftpFinance /alidata/sftpFinance mount.nfs: rpc.statd is not running but is required for remote locking. mount.nfs: Either use '-o nolock' to keep locks local, or start statd. mount.nfs: Operation not permitted [root@iZ23am9cwvgZ sftpFinance]# /sbin/service nfslock start [root@iZ23am9cwvgZ sftpFinance]#
fatal: bad ownership or modes for chroot directory "/alidata/sftpFinance/sftp_own" →chown -R root:root /alidata/sftpFinance/sftp_own
[root@iZ23xuh7nv7Z ~]# sftp -oPort=6022 sftp_ftpuser@120.xx.73.0 Connecting to 120.55.73.0... sftp_bill99@120.55.73.0's password: Read from remote host 120.55.73.0: Connection reset by peer Couldn't read packet: Connection reset by peer [root@iZ23xuh7nv7Z ~]# chmod -R 755 ftpuserFolder/ chmod a+trwx /home/public
ChrootDirectory目录必须是root用户所有,目录开始一直往上到系统根目录为止的目录拥有者都只能是 root,用户组可以不是 root, 权限是 750 或者 755
http://www.linuxquestions.org/questions/blog/anomie-152469/running-an-sftp-only-daemon-on-rhel5-3495/
- 上一篇: Hibernate前世
- 下一篇: 「砥砺阅读」之八《软技能:代码之外的生存指南》
评论
imitker
回复usermod -l developer -d /home/developer -m sftp_asyn_own
groupmod -n developer sftp_asyn_own
访客
回复ChrootDirectory目录必须是root用户所有,目录开始一直往上到系统根目录为止的目录拥有者都只能是 root,用户组可以不是 root, 权限是 750 或者 755
访客
回复@访客 向下的目录可以是非root用户
imitker
回复fatal: bad ownership or modes for chroot directory "/alidata/sftpFinance/sftp_own"
→chown -R root:root /alidata/sftpFinance/sftp_own
linux运维专家
回复usermod -a -G dba appuser
刘布斯
回复id appuser
newgrp sftp_users
刘相涛
回复chmod a trwx /home/public
imitker
回复chmod a+trwx /home/public
贝蒂斯橄榄油总代理
回复好完美~~~
themebetter
回复留个脚印,欢迎来themebetter问答讨论交流各种网站技术问题哦!