我需要以 root 身份运行 SFTP 文件服务器二进制文件,但不允许直接 root 登录。
在 WinSCP 中,如果我在 SFTP 服务器协议选项上使用“默认”,一切都会按预期工作。
按照WinSCP 中的 sudo,我在 /etc/sudoers 中添加了“adminuser ALL = NOPASSWD: /usr/sbin/proftpd”。然后,我尝试在 SFTP 服务器协议选项上使用“sudo /usr/sbin/proftpd”(它在命令行上运行而没有任何提示),但它显示“无法初始化 SFTP 协议。主机是否正在运行 SFTP 服务器?”
如果我使用“adminuser ALL = NOPASSWD: /bin/su”并将 WINSCP 设置为 SCP 而不是 SFTP,我就可以访问服务器,并且它可以正常工作,具有 root 权限。
由于后者的 sudoers 配置过于仁慈,我想使用 SFTP 而不是 SCP,因为它允许更严格的 sudo 设置(只有 proftpd 可以以 root 身份运行)。
如何在 ProFTPd 的 SFTP 模式下将 sudo 与 WinSCP 结合使用?
- WinSCP 4.3.7 图形用户界面
- 协议:SFTP-3
- CentOS 6.2
- Webmin/Virtualmin(当前版本)
PS:仅允许基于证书的登录
. 2012-06-17 11:05:56.998 --------------------------------------------------------------------------
. 2012-06-17 11:05:56.998 WinSCP Version 4.3.7 (Build 1679) (OS 6.1.7601 Service Pack 1)
. 2012-06-17 11:05:56.998 Configuration: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\
. 2012-06-17 11:05:56.999 Login time: Sunday, June 17, 2012 11:05:56 AM
. 2012-06-17 11:05:56.999 --------------------------------------------------------------------------
. 2012-06-17 11:05:56.999 Session name: KVM1 (Modified stored session)
. 2012-06-17 11:05:57.047 Host name: mykvm.com (Port: 22)
. 2012-06-17 11:05:57.048 User name: adminuser (Password: No, Key file: Yes)
. 2012-06-17 11:05:57.048 Tunnel: No
. 2012-06-17 11:05:57.048 Transfer Protocol: SFTP (SCP)
. 2012-06-17 11:05:57.048 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2012-06-17 11:05:57.048 Proxy: none
. 2012-06-17 11:05:57.048 SSH protocol version: 2; Compression: Yes
. 2012-06-17 11:05:57.048 Bypass authentication: No
. 2012-06-17 11:05:57.048 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2012-06-17 11:05:57.048 Ciphers: aes,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2012-06-17 11:05:57.048 SSH Bugs: -,-,-,-,-,-,-,-,-
. 2012-06-17 11:05:57.048 SFTP Bugs: -,-
. 2012-06-17 11:05:57.048 Return code variable: Autodetect; Lookup user groups: Yes
. 2012-06-17 11:05:57.048 Shell: default
. 2012-06-17 11:05:57.048 EOL: 0, UTF: 2
. 2012-06-17 11:05:57.048 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2012-06-17 11:05:57.048 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2012-06-17 11:05:57.048 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2012-06-17 11:05:57.048 Cache directory changes: Yes, Permanent: Yes
. 2012-06-17 11:05:57.048 DST mode: 1
. 2012-06-17 11:05:57.048 --------------------------------------------------------------------------
. 2012-06-17 11:05:57.113 Looking up host "mykvm.com"
. 2012-06-17 11:05:57.132 Connecting to xxx.xxx.128.59 port 22
. 2012-06-17 11:05:57.499 Server version: SSH-2.0-OpenSSH_5.3
. 2012-06-17 11:05:57.499 Using SSH protocol version 2
. 2012-06-17 11:05:57.499 We claim version: SSH-2.0-WinSCP_release_4.3.7
. 2012-06-17 11:05:57.679 Server supports delayed compression; will try this later
. 2012-06-17 11:05:57.679 Doing Diffie-Hellman group exchange
. 2012-06-17 11:05:58.077 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-06-17 11:05:58.498 Host key fingerprint is:
. 2012-06-17 11:05:58.498 ssh-rsa 2048 bd:e4:34:b1:d4:69:d6:4e:e4:26:04:8b:b7:b3:de:c3
. 2012-06-17 11:05:58.498 Initialised AES-256 SDCTR client->server encryption
. 2012-06-17 11:05:58.498 Initialised HMAC-SHA1 client->server MAC algorithm
. 2012-06-17 11:05:58.498 Initialised AES-256 SDCTR server->client encryption
. 2012-06-17 11:05:58.498 Initialised HMAC-SHA1 server->client MAC algorithm
. 2012-06-17 11:05:58.922 Reading private key file "D:\id_rsa.ppk"
! 2012-06-17 11:05:58.924 Using username "adminuser".
. 2012-06-17 11:05:59.550 Offered public key
. 2012-06-17 11:05:59.743 Offer of public key accepted
! 2012-06-17 11:05:59.743 Authenticating with public key "masterkey for admin"
. 2012-06-17 11:05:59.764 Prompt (3, SSH key passphrase, , Passphrase for key "masterkey for admin": )
. 2012-06-17 11:06:02.938 Sent public key signature
. 2012-06-17 11:06:03.352 Access granted
. 2012-06-17 11:06:03.352 Initiating key re-exchange (enabling delayed compression)
. 2012-06-17 11:06:03.765 Doing Diffie-Hellman group exchange
. 2012-06-17 11:06:03.955 Doing Diffie-Hellman key exchange with hash SHA-1
. 2012-06-17 11:06:04.410 Initialised AES-256 SDCTR client->server encryption
. 2012-06-17 11:06:04.410 Initialised HMAC-SHA1 client->server MAC algorithm
. 2012-06-17 11:06:04.410 Initialised zlib (RFC1950) compression
. 2012-06-17 11:06:04.410 Initialised AES-256 SDCTR server->client encryption
. 2012-06-17 11:06:04.410 Initialised HMAC-SHA1 server->client MAC algorithm
. 2012-06-17 11:06:04.410 Initialised zlib (RFC1950) decompression
. 2012-06-17 11:06:04.839 Opened channel for session
. 2012-06-17 11:06:05.247 Started a shell/command
. 2012-06-17 11:06:05.253 --------------------------------------------------------------------------
. 2012-06-17 11:06:05.253 Using SFTP protocol.
. 2012-06-17 11:06:05.253 Doing startup conversation with host.
> 2012-06-17 11:06:05.259 Type: SSH_FXP_INIT, Size: 5, Number: -1
. 2012-06-17 11:06:05.354 Server sent command exit status 0
. 2012-06-17 11:06:05.354 Disconnected: All channels closed
* 2012-06-17 11:06:05.380 (ESshFatal) Connection has been unexpectedly closed. Server sent command exit status 0.
* 2012-06-17 11:06:05.380 Cannot initialize SFTP protocol. Is the host running a SFTP server?
答案1
如果您已经通过 SSH-2.0-OpenSSH_5.3 获得 ssh/scp/sftp 访问权限,则无需尝试设置另一个守护进程。