sftp限制访问目录

1.需求

​ 通过sftp登录的用户限制在自己的家目录下,日志登录日志开启info级别。

2.参数解析

  • sshd_config文件
#Subsystem参数。从man sftp-server看到-l -f参数含义,自己去看下
Subsystem       sftp    internal-sftp -l INFO -f local5

#Match参数。此参数是条件匹配
#从man sshd_config看到参数可提供字段如下,且Match字段匹配的用户,会被禁止使用ssh方式登录系统。
The available criteria are User, Group, Host,LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received).

#ChrootDirectory参数。有两个限制条件
   Specifies the pathname of a directory to chroot(2) to after authentication.  At session startup sshd(8) checks that all components of 
the pathname are root-owned direc‐tories which are not writable by any other user or group.  
   ChrootDirectory参数定义的目录列表必须满足:
   1、目录上级一直到顶级(这个测一下),属主必须是root。
   2、其它用户或者组,不能有写权限,表示文件夹权限只能是755(通常设置是755,比如655应该也是可以),是强制要求。

3.配置

3.1 单个用户登录限制目录
[root@node3 ~] # vi /etc/ssh/sshd_config #编辑文件
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem       sftp    internal-sftp -l INFO -f local5 #使用内部internal-sftp,并且INFO日志级别,指定设施代码。开启sftp日志还有其它操作步骤设置,我这里就不写了。
LogLevel INFO #info级别日志

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
Match User shiliang  #只限制一个用户
ChrootDirectory /home/%u #ChrootDirectory有两个限制条件
ForceCommand internal-sftp

[root@node3 ~] # chown root.shiliang /home/shiliang  
[root@node3 home] # ll -d /home
drwxr-xr-x. 7 root root 78 Apr 20 09:36 /home
[root@node3 home] # ll -d /home/shiliang
drwxr-xr-x. 3 root shiliang 128 Aug  9  2021 /home/shiliang

[root@node3 home] #chmod 755 /home/shiliang

测试

[root@harbor-host ~]# sftp shiliang@10.36.113.198  #测试限制的用户
shiliang@10.36.113.198's password: 
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> cd /home
Couldn't stat remote file: No such file or directory


[root@harbor-host ~]# sftp shiliang2@10.36.113.198  #测试没限制的用户做对比
shiliang2@10.36.113.198's password: 
Connected to 10.36.113.198.
sftp> ls
sftp> pwd
Remote working directory: /home/shiliang2
sftp> ls
sftp> cd /home/
sftp> cd /
sftp> ls
aaa          bin          boot         cunchu       data         datavolume3  dev          etc          home         lib          lib64        media        mnt          opt          
proc         root         run          sbin         srv          sys          test1.db     tmp          usr          var          vol100       
sftp> 
3.2 多个用户登录限制在特定目录

​ 多个用户限制,我们把多个用户属一个附属组,即可实现此需求。

[root@node3 ~] # vi /etc/ssh/sshd_config #编辑文件
Match Group sftpgroup
ChrootDirectory /home/sftp/%u
ForceCommand internal-sftp

[root@node3 home] # groupadd sftpgroup
[root@node3 home] # chown root.sftpgroup /home/sftp/
[root@node3 home] # chmod 755 /home/sftp/
[root@node3 home] # ll -d /home/sftp/
drwxr-xr-x. 2 root sftpgroup 6 Apr 20 10:06 /home/sftp/

[root@node3 home] # usermod -G sftpgroup shiliang2
[root@node3 home] # id shiliang2  
uid=1026(shiliang2) gid=1029(shiliang2) groups=1029(shiliang2),1030(sftpgroup)

[root@node3 home] # systemctl restart sshd
[root@node3 home] # mkdir /home/sftp/shiliang2
[root@node3 home] # cd /home/sftp/shiliang2/
[root@node3 shiliang2] # ls
[root@node3 shiliang2] # touch 1

测试

[root@harbor-host ~]# sftp shiliang2@10.36.113.198   #限制的组用户测试
shiliang2@10.36.113.198's password: 
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> ls
sftp> ls
sftp> ls
1  

[root@harbor-host ~]# sftp shiliang@10.36.113.198  #没限制的用户测试
shiliang@10.36.113.198's password: 
Connected to 10.36.113.198.
sftp> ls
test-dir  test1     
sftp> pwd
Remote working directory: /home/shiliang
sftp> ls
test-dir  test1     
sftp> cd /home/
sftp> cd /
sftp> ls
aaa          bin          boot         cunchu       data         datavolume3  dev          etc          home         lib          lib64        media        mnt          opt          
proc         root         run          sbin         srv          sys          test1.db     tmp          usr          var          vol100       
sftp> 


3.3 总结

后期如果用户都需要限制家目录,我们就把用户追加一个附属组可以实现了,sshd_config的Match匹配条件是属于这个组的就匹配。

4.问题汇总

报错:Starting sshd:/etc/ssh/sshd_config line 115: Directive 'Subsystem' is not allowed within a Match block
#答:根据提示报错说是Subsystem不可以放在Match block里面,因此我们把Match 字段相关内容写到文件最后即可。

packet_write_wait: Connection to 10.36.113.198 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
答:查看日志 tail /var/log/messages发现是对应的目录没创建,如下
Apr 20 10:09:34 node3 sshd[12717]: fatal: safely_chroot: stat("/home/sftp/shiliang2"): No such file or directory