在 Windows OpenSSH 中使用多个匹配组

tag-icon tag-icon ssh configuration sftp
在 Windows OpenSSH 中使用多个匹配组

尝试配置 sshd_config 以根据您所属的 AD 组进行限制。目标是当您连接时,它会将 ChrootDirectory 设置为您有权访问的唯一目录。还要正确配置 Windows 中文件夹的权限。但是,如果我使用多个“匹配组”,则会收到“无效用户 user1 的密码失败”的信息。只要我注释掉其他“匹配组”,它就会起作用。

来自 sshd_config 的匹配组

AllowGroups "Domain\HBRobot-SFTP" "Domain\HBRobot-SFTP-FG" "Domain\HBRobot-SFTP-SF" "Domain\HBRobot-SFTP-Shared" "Domain\HBRobot-SFTP-MF"

#Main AD group to see all subfolders and files
Match Group Domain\HBRobot-SFTP
       ChrootDirectory "D:\HB_RA_SFTPFileShare"

# AD group for FG reports folder
Match Group Domain\HBRobot-SFTP-FG
       ChrootDirectory "D:\HB_RA_SFTPFileShare\FG"

#AD group for SF reports folder
Match Group Domain\HBRobot-SFTP-SF
       ChrootDirectory "D:\HB_RA_SFTPFileShare\SF"

#AD group for Shared reports folder
Match Group Domain\HBRobot-SFTP-Shared
       ChrootDirectory "D:\HB_RA_SFTPFileShare\Shared"

#AD group for MF reports folder
Match Group Domain\HBRobot-SFTP-MF
       ChrootDirectory "D:\HB_RA_SFTPFileShare\MF"

这是我在日志中看到的内容:

1304 2022-01-19 14:09:21.010 debug1: userauth-request for user fuh0d9q service ssh-connection method none [preauth]
1304 2022-01-19 14:09:21.010 debug1: attempt 0 failures 0 [preauth]
1304 2022-01-19 14:09:21.057 debug1: user C:\\Users\\user1 matched group list Domain\\HBRobot-SFTP at line 37
1304 2022-01-19 14:09:21.073 debug1: get_passwd: LookupAccountName() failed: 1332.
1304 2022-01-19 14:09:21.073 debug1: Can't match group at line 41 because user n does not exist
1304 2022-01-19 14:09:21.183 debug1: get_passwd: LookupAccountName() failed: 1332.
1304 2022-01-19 14:09:21.183 debug1: Can't match group at line 45 because user n does not exist
1304 2022-01-19 14:09:21.417 debug1: get_passwd: LookupAccountName() failed: 1332.
1304 2022-01-19 14:09:21.417 debug1: Can't match group at line 49 because user n does not exist
1304 2022-01-19 14:09:21.605 debug1: get_passwd: LookupAccountName() failed: 1332.
1304 2022-01-19 14:09:21.605 debug1: Can't match group at line 53 because user n does not exist
1304 2022-01-19 14:09:21.636 debug1: userauth-request for user user1 service ssh-connection method keyboard-interactive [preauth]
1304 2022-01-19 14:09:21.636 debug1: attempt 1 failures 0 [preauth]
1304 2022-01-19 14:09:21.636 debug1: keyboard-interactive devs  [preauth]
1304 2022-01-19 14:09:21.636 debug1: auth2_challenge: user=fuh0d9q devs= [preauth]
1304 2022-01-19 14:09:21.636 debug1: kbdint_alloc: devices '' [preauth]
1304 2022-01-19 14:09:26.699 debug1: userauth-request for user user1 service ssh-connection method password [preauth]
1304 2022-01-19 14:09:26.699 debug1: attempt 2 failures 1 [preauth]
1304 2022-01-19 14:09:26.699 debug1: Windows authentication failed for user: NOUSER domain: . error: 1326
1304 2022-01-19 14:09:26.699 Failed password for invalid user user1 from ***.**.***.** port 57106 ssh2
1304 2022-01-19 14:09:33.409 debug1: userauth-request for user user1 service ssh-connection method password [preauth]

相关内容