sftp限制访问目录
1.需求
通过sftp登录的用户限制在自己的家目录下,日志登录日志开启info级别。
2.参数解析
- sshd_config文件
#Subsystem参数。从man sftp-server看到-l -f参数含义,自己去看下
Subsystem sftp internal-sftp -l INFO -f local5
#Match参数。此参数是条件匹配
#从man sshd_config看到参数可提供字段如下,且Match字段匹配的用户,会被禁止使用ssh方式登录系统。
The available criteria are User, Group, Host,LocalAddress, LocalPort, RDomain, and Address (with RDomain representing the rdomain(4) on which the connection was received).
#ChrootDirectory参数。有两个限制条件
Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of
the pathname are root-owned direc‐tories which are not writable by any other user or group.
ChrootDirectory参数定义的目录列表必须满足:
1、目录上级一直到顶级(这个测一下),属主必须是root。
2、其它用户或者组,不能有写权限,表示文件夹权限只能是755(通常设置是755,比如655应该也是可以),是强制要求。
3.配置
3.1 单个用户登录限制目录
[root@node3 ~] # vi /etc/ssh/sshd_config #编辑文件
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp -l INFO -f local5 #使用内部internal-sftp,并且INFO日志级别,指定设施代码。开启sftp日志还有其它操作步骤设置,我这里就不写了。
LogLevel INFO #info级别日志
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User shiliang #只限制一个用户
ChrootDirectory /home/%u #ChrootDirectory有两个限制条件
ForceCommand internal-sftp
[root@node3 ~] # chown root.shiliang /home/shiliang
[root@node3 home] # ll -d /home
drwxr-xr-x. 7 root root 78 Apr 20 09:36 /home
[root@node3 home] # ll -d /home/shiliang
drwxr-xr-x. 3 root shiliang 128 Aug 9 2021 /home/shiliang
[root@node3 home] #chmod 755 /home/shiliang
测试
[root@harbor-host ~]# sftp shiliang@10.36.113.198 #测试限制的用户
shiliang@10.36.113.198's password:
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> cd /home
Couldn't stat remote file: No such file or directory
[root@harbor-host ~]# sftp shiliang2@10.36.113.198 #测试没限制的用户做对比
shiliang2@10.36.113.198's password:
Connected to 10.36.113.198.
sftp> ls
sftp> pwd
Remote working directory: /home/shiliang2
sftp> ls
sftp> cd /home/
sftp> cd /
sftp> ls
aaa bin boot cunchu data datavolume3 dev etc home lib lib64 media mnt opt
proc root run sbin srv sys test1.db tmp usr var vol100
sftp>
3.2 多个用户登录限制在特定目录
多个用户限制,我们把多个用户属一个附属组,即可实现此需求。
[root@node3 ~] # vi /etc/ssh/sshd_config #编辑文件
Match Group sftpgroup
ChrootDirectory /home/sftp/%u
ForceCommand internal-sftp
[root@node3 home] # groupadd sftpgroup
[root@node3 home] # chown root.sftpgroup /home/sftp/
[root@node3 home] # chmod 755 /home/sftp/
[root@node3 home] # ll -d /home/sftp/
drwxr-xr-x. 2 root sftpgroup 6 Apr 20 10:06 /home/sftp/
[root@node3 home] # usermod -G sftpgroup shiliang2
[root@node3 home] # id shiliang2
uid=1026(shiliang2) gid=1029(shiliang2) groups=1029(shiliang2),1030(sftpgroup)
[root@node3 home] # systemctl restart sshd
[root@node3 home] # mkdir /home/sftp/shiliang2
[root@node3 home] # cd /home/sftp/shiliang2/
[root@node3 shiliang2] # ls
[root@node3 shiliang2] # touch 1
测试
[root@harbor-host ~]# sftp shiliang2@10.36.113.198 #限制的组用户测试
shiliang2@10.36.113.198's password:
Connected to 10.36.113.198.
sftp> pwd
Remote working directory: /
sftp> ls
sftp> ls
sftp> ls
1
[root@harbor-host ~]# sftp shiliang@10.36.113.198 #没限制的用户测试
shiliang@10.36.113.198's password:
Connected to 10.36.113.198.
sftp> ls
test-dir test1
sftp> pwd
Remote working directory: /home/shiliang
sftp> ls
test-dir test1
sftp> cd /home/
sftp> cd /
sftp> ls
aaa bin boot cunchu data datavolume3 dev etc home lib lib64 media mnt opt
proc root run sbin srv sys test1.db tmp usr var vol100
sftp>
3.3 总结
后期如果用户都需要限制家目录,我们就把用户追加一个附属组可以实现了,sshd_config的Match匹配条件是属于这个组的就匹配。
4.问题汇总
报错:Starting sshd:/etc/ssh/sshd_config line 115: Directive 'Subsystem' is not allowed within a Match block
#答:根据提示报错说是Subsystem不可以放在Match block里面,因此我们把Match 字段相关内容写到文件最后即可。
packet_write_wait: Connection to 10.36.113.198 port 22: Broken pipe
Couldn't read packet: Connection reset by peer
答:查看日志 tail /var/log/messages发现是对应的目录没创建,如下
Apr 20 10:09:34 node3 sshd[12717]: fatal: safely_chroot: stat("/home/sftp/shiliang2"): No such file or directory
