我想将一组用户关进监狱,让他们只能/var/www/mysitename.com通过个人方式访问某个目录sftp。我也不想提供 shell 访问权限。
答案1
您可以尝试以下方法:
Match Group group-name
ForceCommand internal-sftp
ChrootDirectory /var/www/mysitename.com
在/etc/ssh/sshd_config。
来自手册页:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after
authentication. All components of the pathname must be root-
owned directories that are not writable by any other user or
group. After the chroot, sshd(8) changes the working directory
to the user's home directory. [...]
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
present. [...] Specifying a command of “internal-sftp” will
force the use of an in-process sftp server that requires no
support files when used with ChrootDirectory.
这些条件要求:
- 路径中的每个目录都
/var/www/mysitename.com必须由 root 拥有,并且其他人或 root 都无法写入。 - 该组中的所有用户都有主目录
/(root),否则chroot将失败。
或者,您可以设置ChrootDirectory为/var/www,并将所有这些用户的主目录设置为/mysitename.com。
相关阅读:
- Arch 维基入口。