Build sftp in Centos 7

Build sftp in Centos 7

# Use ssh-V to check the openssh version. if the version is earlier than 4.8p1, you must upgrade and install openssh.

1. Create an sftp group # groupadd sftp 2. Create an sftp user, the home Directory of the user named aguisftp # useradd-g sftp-s/bin/false aguisftp # passwd aguisftp3 and sftp groups is designated to/agui/sftp, Which is differentiated by user name, create a new mysftp directory and specify the home address of mysftp as/agui/sftp/mysftp # mkdir-p/agui/sftp/mysftp # usermod-d/agui/sftp/mysftp aguisftp

4. Configure sshd_config to edit/etc/ssh/sshd_config # vim + 132/etc/ssh/sshd_config **. Find the following line, comment out ** Subsystem sftp/usr/libexec/openssh/sftp-server and add the following lines: Subsystem sftp internal-sftp Match Group sftp ChrootDirectory/data/sftp ForceCommand internal-sftp AllowTcpForwarding no x11Forwarding no ** explains the meaning of the added rows ** Subsystem sftp internal-sftp this line specifies to use the sftp Service to use the system's built-in internal-sftpMatch Group sftp this line is used to match users in the sftp Group, if you want to Match multiple groups, use commas to separate them. You can also Match the User Match User mysftp to Match the User. Multiple User names are also separated by commas, however, group matching is more flexible and convenient here. ChrootDirectory/data/sftp/% u specifies the root directory of the user to/data/sftp/% u with chroot, and % u indicates the user name, in this way, the user can only be active under/data/sftp/% u, the meaning of chroot, can refer to here: http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/ForceCommand internal-sftp specify sftp command AllowTcpForwarding no X11Forwarding no these two lines, if you do not want this user to use port forwarding, add it; otherwise, delete it.

5. Set the Chroot directory permission # chown root: sftp/agui/sftp # The Wrong directory permission setting of chmod 755/agui/sftp will cause "fatal: the permission settings for the content directory of bad ownership or modes for chroot directory XXXXXX have two main points: 1. The directory owner starting from the directory specified by ChrootDirectory to the root directory of the system can only be root2. the directory specified by ChrootDirectory can only be up to the root directory of the system. the Group Write Permission follows the preceding two principles: 1) we set the owner of/data/sftp/aguisftp to root, and all groups to sftp2. We set the permission of/data/sftp/aguisftp to 755, and the owner root has the write permission, no write permission for all sftp groups

6. Create a directory that can be written after SFTP user login. After setting the directory above, after the sshd service is restarted, the user mysftp can be logged on, but after specifying the root directory using chroot, the root cannot be written, so you need to create a directory for mysftp to upload files. The directory owner is aguisftp, all groups are sftp, and the owner has write permission, while all groups have no write permission # mkdir/data/sftp/mysftp/upload # chown aguisftp: sftp/data/sftp/mysftp # chmod 755/data/sftp/mysftp7, restart sshd service # service sshd restart here, mysftp can log on to the sftp client and upload files to the upload directory. If you still cannot upload files in this directory, the system prompts that you do not have the permission to check whether SElinux is disabled. You can use the following command to disable SElinux and modify selinux = "" to disabled in the/etc/SELINUX/config file, then restart. Or # setenforce 0

Test: sftp mysftp@127.0.0.1 show sftp> sftp build successful

The configuration above will result in an error with no write permission, as shown below:

We can use root to connect to the ssh service to upload and download files.

sftp root@127.0.0.1 

Solve the problem that aguisftp users cannot read/write:

[root@VM_12_177_centos upload]# sftp aguisftp@127.0.0.1 aguisftp@127.0.0.1's password: Write failed: Broken pipeCouldn't read packet: Connection reset by peer

The cause of this problem is the permission of ChrootDirectory. The directory you set must be owned by the root user; otherwise, the problem may occur. Therefore, make sure that the root directory of the sftp user is root and the permission is 750 or 755. Note the following two principles:

(1) The owner of all directories starting from the directory to the root directory of the system can only be root, and the user group can not be root.

(2) The group write permission cannot be obtained from the directory until it reaches the root directory of the system.

Pay attention to the above two points and check carefully. This problem has always occurred to me. Check the configuration carefully to solve the problem.

Run the following command: [root @ VM_12_177_centos upload] # chown-R root: root/agui/sftp [root @ VM_12_177_centos upload] # chmod 755/agui/sftp [root @ VM_12_177_centos upload] # chown aguisftp: sftp/agui/sftp/mysftp [root @ VM_12_177_centos upload] # chmod 777/agui/sftp/mysftp [root @ brief upload] # service sshd restartRedirecting to/bin/systemctl restart sshd. service [root @ VM_12_177_centos upload] # sftp aguisftp@127.0.0.1 aguisftp@127.0.0.1's password: Connected to 127.0.0.1.sftp>

The problem has been solved. The java code test is as follows: