Step 1: Create an SFTP service user group and create the SFTP service root directory
Groupadd SFTP # The owner (owner) of this directory and its parent directory must be root and the permission is no higher than 755. The Group of this directory should be set to sftpmkdir/srv/sftpchown-r root: SFTP, SRV, sftpchmod-r 0755, SRV, and sftp
Step 2: Back up the sshd configuration file and edit it
mv /etc/ssh/sshd_config ~/backup/sshd_config_xxx vim /etc/ssh/sshd_config
In this step, comment out the line code in the/etc/ssh/sshd_config file:
Subsystem sftp /usr/libexec/openssh/sftp-server
Add the following code:
Subsystem sftp internal-sftpMatch Group sftp ChrootDirectory /srv/sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Function Description: all users in the SFTP user group can use the SFTP service.
After the SFTP service is connected, the accessible directory is/srv/SFTP/username.
For example:
User test is a user in an SFTP group. After connecting to the server through SFTP, you can only view the content in the/srv/SFTP/test directory.
User Test2 is also a user in the SFTP group. After he connects to the server through SFTP, he can only see the content in the/srv/SFTP/Test2 directory.
Step 3: Add a valid SFTP user and grant the write permission to the user
# In this example, create an SFTP account named test # create the Home Directory of test: the owner of the test directory must be root. It is best to set the group to SFTP, the permission is not higher than 755 mkdir/srv/SFTP/testchmod 0755/srv/SFTP/testchown root: SFTP/srv/SFTP/test # Add the user's-S/sbin/nologin parameter to prohibit the user from logging on to useradd-gsftp-D/srv/SFTP/test-S/sbin/through command lines/ nologin Test
The following solution is not perfect for writing permissions:
# Create a writable directory mkdir/srv/SFTP/test/Write chown-r test: SFTP/srv/SFTP/test/write under the test directory
In this way, the test user can have the write permission under the write directory in his home directory.
The root directory owner of the SFTP service must be root, and the permissions cannot exceed 755 (the parent directory must also follow this rule). the SFTP user directory owner must also be root, the maximum permission cannot exceed 755.