我正在为一组用户设置 SFTP,我希望他们只具有 SFTP 访问权限,以便将文件上传到服务器。我已经将他们限制在他们自己的主目录中,并阻止了 shell 登录。每个主目录都有一个用于接收上传的子文件夹。我希望 SFTP 连接在登录时自动更改为此上传文件夹。非常标准。
我在旧服务器上使用该ForceCommand指令成功实现了这一点。但是在我目前正在准备的新服务器上,这不起作用。为什么?
/etc/ssh/sshd_config.d/sftpgroup.conf
Match Group ftpgroup
# The following two directives force ftpgroup to become chrooted
# and only have SFTP available. No other chroot setup is required.
ChrootDirectory /home/ftp_users/%u
ForceCommand internal-sftp -u 0002
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
# Force local logging
ForceCommand /usr/lib/openssh/sftp-server -l VERBOSE
# Change default directory to ~/upload
ForceCommand cd /upload
/var/log/auth.log 的日志级别为 DEBUG3
Mar 9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method none [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug1: attempt 0 failures 0 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 8 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 9 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 8
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow
Mar 9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config reprocess config len 383
Mar 9 15:18:03 MyServer sshd[393644]: debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/sftpgroup.conf len 228
Mar 9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup,!sftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar 9 15:18:03 MyServer sshd[393644]: debug1: user myuser does not match group list ftpgroup,!sftpgroup at line 4
Mar 9 15:18:03 MyServer sshd[393644]: debug3: match not found
Mar 9 15:18:03 MyServer sshd[393644]: debug3: checking match for 'Group ftpgroup' user myuser host 1.2.3.4 addr 1.2.3.4 laddr 10.0.0.4 lport 22
Mar 9 15:18:03 MyServer sshd[393644]: debug1: user myuser matched group list ftpgroup at line 9
Mar 9 15:18:03 MyServer sshd[393644]: debug3: match found
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:12 setting ChrootDirectory /home/ftp_users/%u
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:13 setting ForceCommand internal-sftp -u 0002
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:15 setting AllowTcpForwarding no
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:16 setting GatewayPorts no
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:17 setting X11Forwarding no
Mar 9 15:18:03 MyServer sshd[393644]: debug3: /etc/ssh/sshd_config.d/sftpgroup.conf:21 setting ForceCommand cd /upload
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 9
Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 8 used once, disabling now
Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: setting up authctxt for myuser [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_start_pam entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 100 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_inform_authserv entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 4 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method none [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 2.862ms, delaying 4.136ms (requested 6.998ms) [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 100
Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: initializing for "myuser"
Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_RHOST to "1.2.3.4"
Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: setting PAM_TTY to "ssh"
Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 100 used once, disabling now
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 4
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authserv: service=ssh-connection, style=, role=
Mar 9 15:18:03 MyServer sshd[393644]: debug2: monitor_read: 4 used once, disabling now
Mar 9 15:18:03 MyServer sshd[393644]: debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 51 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 2 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: Received SSH2_MSG_IGNORE [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: receive packet: type 50 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug1: userauth-request for user myuser service ssh-connection method password [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug1: attempt 1 failures 0 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug2: input_userauth_request: try method password [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 12 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 13 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug3: monitor_read: checking request 12
Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_passwd_conv called with 1 messages
Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: password authentication accepted for myuser
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_answer_authpassword: sending result 1
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 13
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 102
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug1: do_pam_account: called
Mar 9 15:18:03 MyServer sshd[393644]: debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 103
Mar 9 15:18:03 MyServer sshd[393644]: Accepted password for myuser from 1.2.3.4 port 55095 ssh2
Mar 9 15:18:03 MyServer sshd[393644]: debug1: monitor_child_preauth: myuser has been authenticated by privileged process
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: Waiting for new keys
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 26
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_get_keystate: GOT new keys
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_auth_password: user authenticated [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: user_specific_delay: user specific delay 0.000ms [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: ensure_minimum_time_since: elapsed 7.172ms, delaying 6.825ms (requested 6.998ms) [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 102 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive_expect entering: type 103 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_receive entering [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_do_pam_account returning 1 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: send packet: type 52 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_request_send entering: type 26 [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug3: mm_send_keystate: Finished sending state [preauth]
Mar 9 15:18:03 MyServer sshd[393644]: debug1: monitor_read_log: child log fd closed
Mar 9 15:18:03 MyServer sshd[393644]: debug3: ssh_sandbox_parent_finish: finished
Mar 9 15:18:03 MyServer sshd[393644]: debug1: PAM: establishing credentials
Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: opening session
Mar 9 15:18:03 MyServer sshd[393644]: debug2: do_pam_session: auth information in SSH_AUTH_INFO_0
Mar 9 15:18:03 MyServer sshd[393644]: pam_unix(sshd:session): session opened for user myuser(uid=1001) by (uid=0)
Mar 9 15:18:03 MyServer systemd-logind[607]: New session 530 of user myuser.
Mar 9 15:18:03 MyServer systemd: pam_unix(systemd-user:session): session opened for user myuser(uid=1001) by (uid=0)
Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar 9 15:18:03 MyServer sshd[393644]: debug3: PAM: sshpam_store_conv called with 1 messages
Mar 9 15:18:03 MyServer sshd[393644]: User child is on pid 393672
Mar 9 15:18:03 MyServer sshd[393672]: debug1: SELinux support disabled
Mar 9 15:18:03 MyServer sshd[393672]: debug1: PAM: establishing credentials
Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/'
Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/'
Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/'
Mar 9 15:18:03 MyServer sshd[393672]: debug3: safely_chroot: checking '/home/ftp_users/myuser'
Mar 9 15:18:04 MyServer sshd[393644]: debug3: mm_request_receive entering
Mar 9 15:18:04 MyServer sshd[393644]: debug3: monitor_read: checking request 113
Mar 9 15:18:04 MyServer sshd[393644]: debug3: mm_answer_audit_command entering
SSH-V
旧服务器:
- OpenSSH_7.9p1 Debian-10+deb10u2,OpenSSL 1.1.1d 2019 年 9 月 10 日
新服务器:
- OpenSSH_8.4p1 Debian-5,OpenSSL 1.1.1k 2021 年 3 月 25 日
更新
事实证明,在旧系统上,这实际上是由于操纵的主文件夹和符号链接而起作用,而不是因为ForceCommand该系统上的指令(即使该指令存在)。
ln -s /home/ftp_users/myuser /home/myuser
usermod -d /home/myuser myuser
ln -s ../upload /home/ftp_users/myuser/home/myuser
因此,当用户登录并对其进行更改时,它将~转到 的/home/myuser符号链接/upload。当将主文件夹设置与旧系统匹配时,新系统现在会在登录时正确路由。有点黑客化,而且绝对不是最理想的(说实话,我试图避免这种情况),但它“有效”。
那么问题来了,为什么不ForceCommand覆盖它呢?它到底在执行吗?我怎么知道呢?
答案1
您sftp-server可以添加选项-d path以在登录时更改起始目录。配置行应该是:
Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -d /upload
在 OpenSSH 的后续版本中,SFTP 服务器功能默认在进程内可用,或者使用显式internal-sftp指示符作为运行的命令。
@用户2100826经证实这个帖子和共享相同的命令行选项(internal-sftp但sftp-server我在相关页面中找不到明确指出这一点man)。请参阅以检查with或 的man sftp-server用法 。ChrootDirectoryForceCommandSubsystem
因此,也可以通过以下代码配置所需的行为:
Subsystem sftp internal-sftp -l VERBOSE -d /upload
另外,请检查这个答案。