我正在尝试创建一个新用户并限制他只能访问 /usr/local/ 中的单个文件夹。因此我进行了一些 Google 搜索并遵循了以下步骤。
groupadd controlgroup1
cd /usr/local
mkdir controlfolder1
chmod g+rw controlfolder1/
chgrp -R controlgroup1 controlfolder1/
useradd control1
passwd control1
gpasswd -a control1 controlgroup1
我进入文件/etc/sshd_config
并在文件末尾添加了以下内容
Match Group controlgroup1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /usr/local/controlfolder1/
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
我重新启动了 ssh systemctl restart sshd
:。
那么当我尝试登录 control1 用户时我在日志文件中看到了这个?
Code:
Accepted password for control1 from 192.168.1.8 port 52912 ssh2
May 5 14:12:47 localhost sshd[2639]: pam_unix(sshd:session): session opened for user control1 by (uid=0)
May 5 14:12:47 localhost sshd[2639]: fatal: bad ownership or modes for chroot directory component "/usr/local/controlfolder1/" [postauth]
May 5 14:12:47 localhost sshd[2639]: pam_unix(sshd:session): session closed for user control1
我已确保 control1 是它的所有者。
ls -ld controlfolder1/
drwxrwxr-x. 2 control1 controlgroup1 6 May 5 13:58 controlfolder1/
我已按照步骤操作,但在“chown -R control1:controlgroup1 /usr/local/controlfolder1/control1”上遇到了新问题。所以这是不同的。我还想授予 ssh 访问权限而不仅仅是 sftp 访问权限?我希望这能清除重复错误。
答案1
问题是,sshd 要求 chroot 目录由 root 拥有,并且只有 root 才具有写入权限。因此,您必须将 control1 的主目录设置为/usr/local/controlfolder1/control1
,例如,并设置
chown root:root /usr/local/controlfolder1 chmod 700 /usr/local/controlfolder1 chown -R control1:controlgroup1 /usr/local/controlfolder1/control1
来源:https://wiki.archlinux.org/index.php/SFTP_chroot#Troubleshooting