我自由地管理,我是服务器管理员新手,我想授予某人访问我的服务器的权限以帮助我完成项目。我们称此人为“joe”。我希望 joe 只能通过 SSH 访问一个目录,而无需 root 访问权限。(如果我不能将他锁定到目录,我愿意接受其他想法。也许只有 SFTP)
我偶然浏览了有关在 /etc/ssh/sshd_config 中添加用户和授予访问权限的教程,但我不确定是否应该采取更多安全预防措施。我不希望打开漏洞或将东西锁得太紧,以至于用户抱怨不断出现权限问题。
关于如何按照描述正确设置用户有什么建议吗?
答案1
您可以使用发送或来自新 OpenSSH 的 ChrootDirectory 选项
$ man sshd_config
[...]
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not
writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.
The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal
'%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.
The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least
a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file
transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions
which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details).
The default is not to chroot(2).
[...]
但除非你很偏执(你可能有充分的理由这样,我不会评判),否则我只会给这个人一个普通的 shell 帐户。