而不是使用...
ssh://[email protected]:1234/mnt/thing/usr/prj
我想用
ssh://[email protected]:1234/prj
我该怎么做?如果用户无法访问等等,/home
那就太好了。/var
我只需要这个来进行数据传输。
答案1
看看斯波利'shell' 并设置 chroot。
答案2
创建一个用户,其主目录为/prj
.
为用户创建一个~/.ssh/authorized_keys
文件,其中包含远程用户公钥,以及对可用命令和 ssh 选项的一些限制,例如:
command="/usr/bin/scp-wrapper",no-port-forwarding,no-X11-forwar
ding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQA
BAAABAQCblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbl
ahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahb
lahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahB [email protected]
使其尽可能受到限制。
然后您需要为 scp 创建包装器。像下面这样简单的方法就可以工作,但是在生产中使用它之前,您需要添加更多安全意识检查和测试。
#!/usr/bin/env bash
$SSH_ORIGINAL_COMMAND
这只是可能性的一个例子。在这种情况下,完整的 scp 命令被捕获在环境变量中$SSH_ORIGINAL_COMMAND
,但由于您无法在command=
文件的子句中指定带有参数的命令.authorized_keys
,因此您需要包装器。
用户可能仍然可以访问粘性公共目录,例如 /tmp,但他们无法在 /var 或 /home 周围漫游。
他们可能能够从您的服务器上获取文件,但您可以用 来包装所有这些chroot
,并以最小的努力更加保护系统。