我需要设置一个 scp 服务器。供应商将通过 scp(而不是 sftp)将文件上传到该服务器。虽然 sftp 的配置很容易,但我使用 scp 时却非常吃力。网上有一些针对其他操作系统的说明和操作方法。我尝试遵循这些说明,但总是收到错误消息:
scp phpinfo.php [email protected]:/subdir/
/home/abc/bin/bash: Permission denied
lost connection
...日志中没有进一步的提示:
Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Accepted password for abc from 1.2.3.4 port 57248 ssh2
Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session opened for user abc by (uid=0)
Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Received disconnect from 1.2.3.4 port 57248:11: disconnected by user [postauth]
Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: Disconnected from 1.2.3.4 port 57248 [postauth]
Oct 3 23:16:13 ip-10-2-4-121 sshd[30945]: pam_unix(sshd:session): session closed for user abc
我的/etc/ssh/sshd_config被修改如下:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
# ForceCommand internal-sftp
AllowTcpForwarding no
...如果我想允许 scp 访问,我认为 ForceCommand 不是必需的。
目录中的权限/home:
[root@ip-10-2-4-121 abc]# ls -al /home
total 16
drwxr-xr-x 4 root root 4096 Oct 3 21:42 .
dr-xr-xr-x 25 root root 4096 Oct 3 20:08 ..
drwx------ 9 root root 4096 Oct 3 23:12 abc
drwx------ 4 ec2-user ec2-user 4096 Oct 3 21:43 ec2-user
我也尝试复制一些依赖项,但我不知道如何找出需要复制的文件。https://www.wilderssecurity.com/threads/how-to-copy-only-needed-libraries-to-a-chroot.329486/给了我一个提示,我已经尝试过了:
cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/abc
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/abc
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/abc
我的目录结构如下/home/abc:
.
├── bin
│ └── bash
├── dev
│ ├── null
│ ├── random
│ ├── tty
│ └── zero
├── etc
│ ├── group
│ ├── ld.so.cache
│ ├── ld.so.conf
│ ├── ld.so.conf.d
│ │ └── kernel-4.9.51-10.52.amzn1.x86_64.conf
│ └── passwd
├── lib
├── lib64
│ ├── ld-linux-x86-64.so.2
│ ├── libcrypto.so.10
│ ├── libcrypt.so.1
│ ├── libc.so.6
│ ├── libdl.so.2
│ ├── libfreebl3.so
│ ├── liblber-2.4.so.2
│ ├── libldap-2.4.so.2
│ ├── libnspr4.so
│ ├── libnss3.so
│ ├── libnssutil3.so
│ ├── libplc4.so
│ ├── libplds4.so
│ ├── libpthread.so.0
│ ├── libresolv.so.2
│ ├── librt.so.1
│ ├── libsasl2.so.2
│ ├── libsmime3.so
│ ├── libssl3.so
│ ├── libtic.so.5
│ ├── libtinfo.so.5
│ ├── libutil.so.1
│ └── libz.so.1
├── subdir
└── usr
├── bin
│ └── scp
├── lib
├── lib64
│ ├── libnss3.so
│ ├── libnssutil3.so
│ ├── libsasl2.so.2
│ ├── libsmime3.so
│ └── libssl3.so
└── libexec
└── openssh
└── sftp-server
我进一步修改了/etc/passwd:
...
abc:x:501:501::/home/abc:/home/abc/bin/bash
任何帮助是极大的赞赏。
答案1
我遗漏了一些进一步的依赖项和权限。这是如何从空白的 amazon linux ec2 实例创建 chrooted、启用 ssh 和 scp 的用户:
#!/bin/bash
#
# This script creates a chrooted user, scp enabled, on an Amazon Linux aws instance
#
# 2017-10-05
#
# change username and password here:
username="abc"
password="123456"
# create groups
groupadd sftp
# create chrooted user
useradd -m $username -G sftp
echo $username:$password | chpasswd
# enable password authentication in sshd
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.before_chroot
cat /etc/ssh/sshd_config | sed -e "s/PasswordAuthentication no/PasswordAuthentication yes/" > /etc/ssh/temp_sshd_config
mv -f /etc/ssh/temp_sshd_config /etc/ssh/sshd_config
# disable default sftp subsystem configuration in sshd
sed -e '/Subsystem sftp/ s/^#*/#/' -i /etc/ssh/sshd_config
# add sftp subsystem configuration to sshd
echo "Subsystem sftp internal-sftp" >> /etc/ssh/sshd_config
echo "Match Group sftp" >> /etc/ssh/sshd_config
echo " ChrootDirectory %h" >> /etc/ssh/sshd_config
echo " AllowTcpForwarding no" >> /etc/ssh/sshd_config
# restart ssh service
/etc/init.d/sshd restart
# create the chrooted directory structure
mkdir /home/$username/bin
mkdir /home/$username/dir
mkdir /home/$username/usr
mkdir /home/$username/usr/bin
mkdir /home/$username/usr/libexec
mkdir /home/$username/usr/libexec/openssh
mkdir /home/$username/lib/
mkdir /home/$username/etc
mkdir /home/$username/dev
mkdir /home/$username/dev/pts
# copy all dependencies
cp --parents `ldd /bin/bash | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/bin/scp | cut -d " " -f 3` /home/$username
cp --parents `ldd /usr/libexec/openssh/sftp-server | cut -d " " -f 3` /home/$username
cp --parents `ldd /bin/ls | cut -d " " -f 3` /home/$username/
cp /usr/lib64/libnss3.so /home/$username/lib64/
cp /usr/lib64/libtic.so.5 /home/$username/lib64/
cp /lib64/ld-linux-x86-64.so.2 /home/$username/lib64/
cp /usr/lib64/libssl3.so /home/$username/lib64/
cp /bin/bash /home/$username/bin/
cp /usr/bin/scp /home/$username/usr/bin/scp
cp /usr/libexec/openssh/sftp-server /home/$username/usr/libexec/openssh/
cp /bin/ls /home/$username/bin/
cp /lib64/libnss* /home/$username/lib64/
cp /usr/lib64/libnss* /home/$username/usr/lib64/
cp --parents `find . -type f -exec ldd '{}' \; | awk '{print $3}' | sort | uniq | grep -v '('` /home/$username/
cp -vf /etc/{passwd,group} /home/$username/etc/
cp -r /etc/ld.so* /home/$username/etc/
# create non-files
mknod -m 666 /home/$username/dev/null c 1 3
mknod -m 666 /home/$username/dev/tty c 5 0
mknod -m 666 /home/$username/dev/zero c 1 5
mknod -m 666 /home/$username/dev/random c 1 8
mount --bind /dev/pts /home/$username/dev/pts
# get the directory permissions right
chown $username.$username /home/$username/. -R
chmod 0755 /home/$username/bin
chmod 0666 /home/$username/.bashrc
chown root.root /home/$username
chmod 0755 /home/$username
https://gist.github.com/kmddevdani/b7687a74dacb250eda7b8e2f65f1c906