“重定向”ssh 路径?

“重定向”ssh 路径?

而不是使用...

ssh://[email protected]:1234/mnt/thing/usr/prj

我想用

ssh://[email protected]:1234/prj

我该怎么做?如果用户无法访问等等,/home那就太好了。/var我只需要这个来进行数据传输。

答案1

看看斯波利'shell' 并设置 chroot。

答案2

创建一个用户,其主目录为/prj.

为用户创建一个~/.ssh/authorized_keys文件,其中包含远程用户公钥,以及对可用命令和 ssh 选项的一些限制,例如:

command="/usr/bin/scp-wrapper",no-port-forwarding,no-X11-forwar
ding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQA
BAAABAQCblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbl
ahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblahb
lahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahbla
hblahblahblahblahblahblahblahblahB [email protected]

使其尽可能受到限制。

然后您需要为 scp 创建包装器。像下面这样简单的方法就可以工作,但是在生产中使用它之前,您需要添加更多安全意识检查和测试。

#!/usr/bin/env bash

$SSH_ORIGINAL_COMMAND

这只是可能性的一个例子。在这种情况下,完整的 scp 命令被捕获在环境变量中$SSH_ORIGINAL_COMMAND,但由于您无法在command=文件的子句中指定带有参数的命令.authorized_keys,因此您需要包装器。

用户可能仍然可以访问粘性公共目录,例如 /tmp,但他们无法在 /var 或 /home 周围漫游。

他们可能能够从您的服务器上获取文件,但您可以用 来包装所有这些chroot,并以最小的努力更加保护系统。

相关内容