Ssh Sftp Jail
711퍼미션
퍼미션을 711로 변경하여 루트만 접근이 가능하도록 해준다.
sudo chmod 711 / sudo chmod 711 /bin sudo chmod 711 /boot sudo chmod 711 /dev sudo chmod 711 /etc sudo chmod 711 /home sudo chmod 711 /mnt sudo chmod 711 /opt #sudo chmod 711 /proc sudo chmod 711 /usr sudo chmod 711 /usr/local sudo chmod 711 /var
chroot
버전확인
ssh -ver OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
문제점은 이렇게 설정한 유저는 ssh 에 접속이 안된다.
방법
Release: RedHat Enterprise Linux Openssh 5.6P1
Problem: Configure the sftp-server on a per-user-basis (restrict users to their individual home directory) using chroot() jail in RedHat Enterprise Linux
Solution:
- Install the OpenSSH latest version that must support the chroot() function
- Configure Openssh to use its internal sftp subsystem by editing the sshd_config file
nano /etc/ssh/sshd_config
Replace
Subsystem sftp /usr/local/libexec/sftp-server
by
Subsystem sftp internal-sftp
- Now configure the chroot() by using match rule, add the below entries in the end of the sshd_config file
nano /etc/ssh/sshd_config
Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Note: Here %u represents username, that means all the users in the sftponly group home directories are chrooted. Also chroot directory must be owned by root.
4) Add one new group named as sftponly
groupadd sftponly
5) Create a new user to use retricted sftp. First create a user's home directory after that add the user
mkdir /home/test useradd -g sftponly test usermod -d / test
Note: In here, create a home directory as a root user, while adding the user one warning comes like this, "useradd: warning: the home directory already exists"
6) Now test the configuration from client side
[root@server Desktop] sftp [email protected] Connecting to 192.168.1.7… [email protected]'s password: sftp> ls IN sftp> cd IN sftp> ls sftp> mput 1.png Uploading 1.png to /IN/1.png 1.png 100% 90KB 90.4KB/s 00:00 sftp> ls 1.png sftp> bye
7) Test the SFTP-Server function from the windows client use the “WinSCP” or “Filezilla”
누구나 수정하실 수 있습니다. 위키 사용법 참고하세요. |
---|