Linux to build SFTP service and set permissions

One, recently received a project team needs to build a file server, the requirements are as follows

1, users: Amovs, upload, download

2, group: Amovs, Dataload, download

3, the specific needs are upload and download home directory are the same directory Dataload

4, upload can upload is able to read and write, download users can only download

5, Amovs because of the need for batch automation delete logs and so on, so for dataload directory permissions need read, write permissions

6. Upload and download can only use the SFTP software to upload and download files and cannot be used as login users

Detailed planning the relationship between users and groups is as follows:

Amovs belongs to Dataload Group, home directory is/amovs

Upload belongs to Dataload group/data/dataload

Download belongs to download group/data/dataload

Second, the construction environment is as follows:

Red Hat Enterprise Linux Server release 6.7 (Santiago)

Concrete Construction Steps:

1. View SSH related versions

[Email protected]/]# Rpm-qa | grep ssh

Openssh-clients-5.3p1-111.el6.x86_64

Openssh-server-5.3p1-111.el6.x86_64

Ksshaskpass-0.5.1-4.1.el6.x86_64

Libssh2-1.4.2-1.el6_6.1.x86_64

Openssh-5.3p1-111.el6.x86_64

2. Create related groups and users

[Email protected]/]# GROUPADD-G 601 Amovs

[Email protected]/]# groupadd-g 602 dataload

[Email protected]/]# groupadd-g 603 Download

[Email protected]/]# useradd-u 601-g amovs-g dataload-d/amovs Amovs

[Email protected]/]# useradd-u 602-s/bin/false-g dataload-d/data/dataload upload

[Email protected]/]# useradd-u 603-s/bin/false-g download-d/data/dataload Download

3, edit/etc/ssh/sshd_config is more as follows:

#注释掉这行

#Subsystem Sftp/usr/libexec/openssh/sftp-server

Add the following configuration

Subsystem sftp internal-sftp #指定使用sftp服务使用系统自带的internal-sftp

#Match Group dataload #如何限制组就改成这样 You can also use the Match user, separated by commas

Match User upload, download #我这里的需求是控制用户所以就配置成这样

Chrootdirectory/data #此目录实际上传目录的上级目录, for example where the actual storage file location is/data/dataload

#用chroot将指定用户的根目录, please refer to the following links for Chroot's detailed meanings:

http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/

Forcecommand internal-sftp #指定sftp命令

X11forwarding no #这两行, if you do not want the user to be able to use port forwarding, add, otherwise delete

Allowtcpforwarding No

Attention:

To implement Chroot functionality, the setting of directory permissions is important. Otherwise, you will not be able to log in, and the error prompts are silent.

Basically, the error is like this.

# SFTP [email protected]

Connecting to 192.168.56.102 ...

[email protected] ' s password:

Write Failed:broken Pipe

Couldn ' t read packet:connection reset by peer

Directory permission settings Here you find 3 summary tests from the Internet as follows:

1, Chrootdirectory set the directory permissions and all the parent folder permissions, the owner and the group must be Root:root

Here my/data group is root:root and/data/dataload Group is upload:dataload, specifically as follows

[Email protected] ~]# Ls-ld/data

Drwxr-xr-x 3 root root 4096 May 17:27/data

[Email protected] data]# ls-ld/data/dataload/

Drwxrwxr-x 4 upload dataload 4096 May 18:11/data/dataload/

2, Chrootdirectory set the directory permissions and all the parent folder permissions, only the owner can have write permissions, that is, the maximum permissions can only be set to 755

This one hasn't been tested.

3, Chrootdirectory%h If this mode is selected, the user's home directory must be Root:root permissions, its parent directory page must be root:root, otherwise it will be an error.

[Email protected]/]# ls-ld/amovs/

Drwxr-xr-x 3 Amovs Amovs 4096 May 16:00/amovs/

[Email protected]/]# chown Root:root/amovs

[Email protected]/]# ls-l/amovs/

Drwxr-xr-x 3 root root 4096 May 16:39 data

After the setup is over, a problem is that the file attributes uploaded by the SFTP software are 644, that is, the Amovs user cannot delete the uploaded files of the upload user, which means that the permission to upload the file does not go umask the system user. Modified the PAM value and tested it successfully by checking some data.

One, view and turn on the PAM function of SSH,

Run the command to see Ldd/usr/sbin/sshd | grep libpam.so supports Pam

[Email protected] 20170523]$ Ldd/usr/sbin/sshd | grep libpam.so

libpam.so.0 =/lib64/libpam.so.0 (0x00007fce94f79000)

Edit/etc/ssh/sshd_config

Usepam Yes #这默认是开启的, without opening the words opened

Second, edit/etc/pam.d/sshd, (Specify the reference PAM), plus umask that line.

#%pam-1.0

Auth Required pam_sepermit.so

Auth include Password-auth

Account Required Pam_nologin.so

Account include Password-auth

Password include Password-auth

# pam_selinux.so Close should be the first session rule

Session Required Pam_selinux.so Close

Session Required Pam_loginuid.so

# pam_selinux.so Open should only is followed by sessions to being executed in the user context

Session Required pam_selinux.so Open Env_params

Session optional pam_keyinit.so Force revoke

Session include Password-auth

Session optional pam_umask.so umask=0002

Restarting the SSHD service is possible.

The test is as follows:

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/96/C1/wKioL1klKRPBgxn6AAB3jrxQWUo344.jpg "title=" Qq20170524140344.jpg "alt=" Wkiol1klkrpbgxn6aab3jrxqwuo344.jpg "/>

This article is from the "Record Learning" blog, please be sure to keep this source http://laobaiv1.blog.51cto.com/2893832/1928973

Linux to build SFTP service and set permissions