Full use of SFTP instead of Ftp:sftp+openssh+chrootdirectory setup

Source: Internet
Author: User
Tags ftp protocol

Because the user name and password are transmitted in clear text, the FTP protocol is not secure. In the same room, as long as one server is under the control of the attacker, it is possible to gain access to the FTP password on other servers to control other servers.

Of course, many excellent FTP servers already support encryption. But if the SSH service is already open on the server, we can use SFTP to transfer the data, so why open a process and port more?

Below, I'll tell you how to use SFTP to completely replace FTP from three aspects of account settings, SSH settings, and permissions settings. This tutorial is based on CentOS5.4.


The following features are implemented in this article:

SFTP to manage 3 directories:

    • Homepage

    • Blog

    • Pay

The permissions are configured as follows:

    • Account WWW, you can manage the 3 directories;

    • Account Blog, can only manage the blog directory;

    • Account pay, only the pay directory can be managed.

Web Server Requirements:

    • Account Blog Management directory is a blog site, using Apache server. The Apache server's startup account is the Apache account, which is the Apache group.

    • The account blog belongs to the Apache group, and its uploaded files can be deleted by Apache server. In the same way, it can also delete files uploaded in the blog (that is, files belonging to the Apache account).

Account Settings

SFTP accounts directly using the Linux operating system account, we can use the useradd command to create an account.

Start by creating 3 directories to manage:


To create an sftp group and a WWW, blog, pay account, these 3 accounts belong to the SFTP group:

Groupadd sftp useradd-m-d/home/sftp-g sftp wwwuseradd-m-d/home/sftp/blog-g sftp bloguseradd-m-d/home/sftp/pay- G sftp pay# Add a blog account to Apache group useradd-m-d/home/sftp/blog-g Apache blog# set 3 account password password passwd wwwpasswd blogpasswd pay

The account setup is complete.

SSH settings

The first step is to upgrade the OpenSSH version. Only 4.8P1 and above support chroot.

The latest version of the CentOS 5.4 source is 4.3, so you need to upgrade openssh.

Specify a new Source:

vim/etc/yum.repos.d/test.repo# Enter the following [Centalt]name=centalt Packages for Enterprise Linux 5-$basearchbaseurl =http:// centos.alt.ru/repository/centos/5/$basearch/enabled=0gpgcheck=0# Wq Save

To perform an upgrade:

Yum--enablerepo=centalt update-y openssh* openssl*# Restart service The sshd restart# re-see version ssh-v# openssh_5.8p1, OpenSSL 0.9.8e- Fips-rhel5 2008

After the upgrade is successful, set the Sshd_config. Restricts the user's root directory through chroot.

vim /etc/ssh/sshd_config# Note the original subsystem settings subsystem   sftp    /usr/ libexec/openssh/sftp-server# Enable internal-sftpsubsystem       sftp     internal-sftp# restrict the root directory of WWW users match user www    chrootdirectory / home/sftp    forcecommand    internal-sftp# limit the root directory of blog and pay users match  group sftp    chrootdirectory %h    forcecommand     internal-sftp 

After you complete this step, try to log in to SFTP:

SFTP [email protected] #或者ssh [email protected] #如果出现下面的错误信息, it may be the directory permissions settings error, continue to see the next #connection to abc.com closed by remote Host. #Connection Closed
Permission settings

To implement Chroot functionality, the setting of directory permissions is important . Otherwise can not log in, give the error hint also let a person can not touch the head, cannot check up. I wasted a lot of time on it.

2 points to follow in the directory permission settings:

    1. Chrootdirectory set the directory permissions and all of its parent folder permissions, the owner and the group must be root;

    2. Chrootdirectory set the directory permissions and all of its parent folder permissions, only the owner can have write permissions, that is, the maximum permissions can only be set to 755.

If the above 2 points are not followed, even if the directory belongs to only one user, all SFTP users may be affected.

Chown Root.root/home/sftp/home/sftp/homepage/home/sftp/blog/home/sftp/paychmod 755/home/sftp/home/sftp/homepage/ Home/sftp/blog/home/sftp/pay

Because the permissions set on the directory above are 755, all non-root users cannot write files to the directory. We need to set up subdirectories under the directory specified by chrootdirectory and reset the owner and permissions. Take the homepage directory as an example:

Mkdir/home/sftp/homepage/webchown Www.sftp/home/sftp/homepage/webchmod 775/home/sftp/homepage/web

In order to realize the permission requirement of the Web server and blog account to delete files, it is necessary to set umask, so that the file and directory permissions created by default are 775. Write the following content into the. BASHRC:

Umask 0002

At this point, we have implemented all the required functions.

This article is from the "Dream to Reality" blog, please be sure to keep this source http://lookingdream.blog.51cto.com/5177800/1769233

Full use of SFTP instead of Ftp:sftp+openssh+chrootdirectory setup

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.