SFTP Chroot Ubuntu 10.10

tag-icon tag-icon linux ubuntu sftp chroot
SFTP Chroot Ubuntu 10.10

我正在尝试授予用户仅 SFTP 访问其主目录的权限。

这是用户的 /etc/passwd 行:

bob:x:1003:1003::/home/bob:/bin/false

我像这样编辑了 /etc/ssh/sshd_config 文件:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Match user bob
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

然后我重新启动 ssh:sudo service ssh restart

如果我尝试,一切都会顺利。sftp [email protected]

然后我尝试将 chroot bob 到他的家,因此我ChrootDirectory /home/bob在正确的位置添加:

Match user bob
            ChrootDirectory /home/bob
            AllowTcpForwarding no
            X11Forwarding no
            ForceCommand internal-sftp

我把权限改为bob home:

drwxr-xr-x  3 root    root      4096 2014-02-27 13:13 bob

现在当我尝试 sftp[电子邮件保护]答案是:

Write failed: Broken pipe
Connection closed

我的OpenSSH版本是1:5.5p1-4ubuntu6

我错在哪里了???我可以在哪里解决我的问题???

编辑:经过一些调试后,我发现了此错误消息:

bad ownership or modes for chroot directory component "/"

答案1

我认为你只需要指定ChrootDirectory /home它会自动替换为 /home/bob。否则它会调查/home/bob/bob

编辑:还要确保 chroot 目录由 root 拥有,并且不可由组写入。如果您需要可写目录,则需要创建一个子文件夹

chown root /home/bob
chmod go-w /home/bob
mkdir /home/bob/writeable
chown bob:sftponly /home/bob/writeable
chmod ug+rwX /home/bob/writeable

答案2

sshd_config 命令

Specifies the pathname of a directory to chroot(2) to after authentication.  All components of the pathname must be root-owned directories that are not writable by any other user or group.

这是可行的,因为 /home 归 root 所有,其他用户不可写

Match user pippo
        ChrootDirectory /home
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

这种方式是行不通的,因为 ChrootDirectory /home/pippo 不属于 root,并且可由其他用户写入

Match user pippo
        ChrootDirectory /home/pippo
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

相关内容