Proftpd:仅使用公钥进行连接

tag-icon tag-icon docker ssh-keys public-key proftpd
Proftpd:仅使用公钥进行连接

我的要求是必须有一个任何用户都可以使用的自定义 proftpd docker 映像。用户将使用该映像运行 docker 容器,并在运行时将挂载路径挂载到 docker。挂载路径将包含用户将使用的公钥。用户不会提供私钥。用户将生成公钥和私钥,如下所示:

$ ssh-keygen -N "" -f /home/user/.ssh/id_rsa

这应该输出 id_rsa 和 id_rsa.pub 文件。

公钥文件 id_rsa.pub 的内容将被添加到挂载路径 (/mnt/blah/key) 中的文件中,然后在启动 docker 容器时挂载。docker 镜像的入口点脚本如下所示:

DIR=/home/proftpd
#PASSWD_KEY=/mnt/blah/passwd_key
PUB_KEY=/mnt/blah/key

PASSWORD=abcboom

echo $PASSWORD | /usr/bin/ftpasswd --passwd --file=/home/proftpd/ftpd.passwd --name=virtual --uid=1234 --gid=5678 --home=/home/proftpd/ --shell=/bin/bash --stdin

/usr/bin/ftpasswd --group --name=--group --name=virtual --file=/home/proftpd/ftpd.group --gid=5678 --member=1234

touch /home/proftpd/.ssh/authorized_keys

cat $PUB_KEY > /home/proftpd/.ssh/authorized_keys
chmod 600 /home/proftpd/.ssh/authorized_keys

proftpd -n -4 -c /home/proftpd/proftpd.conf -d10

因此,基本上 /mnt/blah/key 的内容被写入 authorized_keys 文件中。但由于要求用户不提供私有 id_rsa 文件内容,有没有办法可以在没有此信息的情况下启动 proftpd 服务器?我知道 proftpd 的官方文档说 proftpd.conf 文件中需要 SFTPHostKey 指令,我已经看到它需要私钥文件。有没有办法解决这个问题?

我有以下 proftpd.conf 文件:

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on
AuthUserFile                    /home/proftpd/ftpd.passwd
AuthGroupFile                   /home/proftpd/ftpd.group
AuthPAM                         off
PidFile                         /home/proftpd/proftpd.pid
ScoreboardFile                  /home/proftpd/proftpd.scoreboard
WtmpLog                         off

# Port 21 is the standard FTP port.
Port                           2345

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections 
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            proftpd
Group                           proftpd




# Normally, we want files to be overwriteable.
<Directory />
   AllowOverwrite                on
</Directory>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

TraceLog                        /home/proftpd/trace.log
Trace                           DEFAULT:10

LoadModule mod_sftp.c
#LoadModule mod_sftp_pam.c

<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
    SFTPEngine ON
    SFTPAuthMethods password publickey
    RequireValidShell off
    SFTPLog /home/proftpd/log/sftp.log
    Port 2360
    SFTPLog /home/proftpd/sftp.log
    SFTPCompression delayed
    SFTPHostKey /home/proftpd/.ssh/id_rsa ---> What to do here??
    SFTPAuthorizedUserKeys file:/home/proftpd/.ssh/authorized_keys
    SFTPOptions InsecureHostKeyPerms
    AuthUserFile /home/proftpd/ftpd.passwd
    AuthGroupFile /home/proftpd/ftpd.group
    AuthOrder mod_auth_file.c
</VirtualHost>
</IfModule>

任何有关此事的帮助都将不胜感激!

相关内容