我正在尝试设置对 RHEL 6.5 服务器的 chrooted SFTP 访问。我已经完成了编辑 sshd_config 文件的标准步骤,以匹配组中的任何用户并对其进行 chroot,如下所示:
Match group prisoners
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
以及设置
Subsystem sftp internal-sftp
用户“test”有一个目录如下:
[root@ip-10-0-1-158 ~]# ls -l /home/test
total 4
drwxrwxr-x. 3 root prisoners 4096 Jul 20 17:55 SFTP
(我还递归地设置了该目录的所有权和访问权限)
并且在正确的组中:
[root@ip-10-0-1-158 ~]# sudo -u test id
uid=501(test) gid=498(prisoners) groups=498(prisoners) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
当我尝试以测试用户身份通过 ssh 会话在 /home/test/SFTP 目录中编辑或创建文件时,一切都按预期进行。如果我通过 WinSCP 登录,我可以正确进行身份验证,并且可以看到 /home/test 目录的内容(但不能修改它们)。但是,它不允许我在 /home/test/SFTP 目录中查看、编辑或创建文件。
WinSCP 错误消息:
Error listing directory '/SFTP'.
Permission denied.
Error code: 3
Error message from server: Permission denied
任何帮助将不胜感激。
注意:我已在 RHEL 7 上成功设置了类似的 sftp chroot 访问,但我很难理解为什么用户权限似乎无法通过 SFTP 运行。
答案1
注意:我已在 RHEL 7 上成功设置了类似的 sftp chroot 访问,但我很难理解为什么用户权限似乎无法通过 SFTP 运行。
可能 SELinux 标签出错了。检查它们是否正确并尝试使用修复它们
# restorecon -RF /
答案2
我在 Debian 系统上设置(教授编程课程)的方式是:
首先,创建用户。这是我使用的脚本,它添加用户,创建主目录,将它们放入囚犯类型组中,复制一些默认文件,设置权限和所有权,创建 sql 数据库等。对你来说太过分了,你可以只使用前几行。
#!/bin/bash
# $1 is username to create
# call as root@darkstar:~/ # ./script.sh username
# add the user and put them in the jailusers group, set their home
# directory so it is at http://www.example.com/username
# and set their shell to /bin/false so they can't ssh in
useradd -g jailusers -d /var/jailweb/www-example.com/$1 -s /bin/false $1
mkdir -p /var/jailweb/www-example.com/$1
# i copy some template files in for them - this is a programming class
cp /root/jailtemplate-filez/*php /var/jailweb/www-example.com/$1
# fix the ownership of them - the /var/jailweb/www-example.com has been
# chmodded as g+s so the webserver will be able to read all the files
# note that this is NOT the ideal way to deal with this, but was needed
# for my purposes
chown $1.www-data /var/jailweb/www-example.com/$1
chown $1.www-data /var/jailweb/www-example.com/$1/index.php
chmod -R 750 /var/jailweb/www-example.com/$1
# put their name on their front page
sed -i s/STUDENT/$1/g /var/jailweb/www-example.com/$1/index.php
# generate a "random" password for sftp login
salt="oh god there has to be a better way!"
lpass=`echo $1 $salt | md5sum | cut -c 5-15`
# generate a "different" "random" password
# for them to use for mysql access
mpass=`echo $1 $salt | md5sum | cut -c 13-22`
# and set it for the userlogin programmatically
echo $1:$lpass | chpasswd
# create a sql scritp file to create their mysql accounts and
# create a database for them, grant rights, etc
cat webusers-mysql_template | sed s/USERNAME/$1/g | sed s/PASS/$mpass/g >> webusersusers.sql
# put their mysql info into a php file in their web directory
cat dbinfo.php-template | sed s/USERNAME/$1/g | sed s/PASSWORD/$mpass/g > /var/jailweb/www-example.com/$1/dbinfo.php
# make sure the webserver can read it... this all SHOULD be setup for suexec
# and having each user in their own primary group... then the sticky bit, etc
# wouldn't be needed, but I'm lazy
chown $1.www-data /var/jailweb/www-example.com/$1/dbinfo.php
chmod 440 /var/jailweb/www-example.com/$1/*.php
# if there needs to be a directory the webserver can
# write to, uncomment these
#mkdir -p /var/jailweb/www-example.com/$1/writeable
#chown $1.www-data /var/jailweb/www-example.com/$1/writeable
#chmod 770 /var/jailweb/www-example.com/$1/writeable
接下来,请/etc/ssh/sshd_config务必取消注释默认 sftp 提供程序并在内部子系统中添加:
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
最后还要/etc/ssh/sshd_config添加您的组匹配。我设置了一个稍微不同的默认值umask-
Match Group jailusers
ChrootDirectory /var/jailweb
ForceCommand internal-sftp -u 0027
请注意,我将 指向包含其主目录的目录/。chroot
重新启动 ssh 守护进程就可以了。您的用户应该能够在其 /username 目录中添加/编辑/删除内容。如果您想添加共享目录,则需要创建它并更改其所有权