Because the user name and password are transmitted in clear text, the FTP protocol is not secure. In the same room, as long as one server is under the control of the attacker, it is possible to gain access to the FTP password on other servers to control other servers.
Of course, many excellent FTP servers already support encryption. But if the SSH service is already open on the server, we can use SFTP to transfer the data, so why open a process and port more?
Below, I'll tell you how to use SFTP to completely replace FTP from three aspects of account settings, SSH settings, and permissions settings. This tutorial is based on CentOS5.4.
The following features are implemented in this article:
SFTP to manage 3 directories:
The permissions are configured as follows:
Account WWW, you can manage the 3 directories;
Account Blog, can only manage the blog directory;
Account pay, only the pay directory can be managed.
Web Server Requirements:
Account Blog Management directory is a blog site, using Apache server. The Apache server's startup account is the Apache account, which is the Apache group.
The account blog belongs to the Apache group, and its uploaded files can be deleted by Apache server. In the same way, it can also delete files uploaded in the blog (that is, files belonging to the Apache account).
SFTP accounts directly using the Linux operating system account, we can use the
useradd command to create an account.
Start by creating 3 directories to manage:
To create an sftp group and a WWW, blog, pay account, these 3 accounts belong to the SFTP group:
Groupadd sftp useradd-m-d/home/sftp-g sftp wwwuseradd-m-d/home/sftp/blog-g sftp bloguseradd-m-d/home/sftp/pay- G sftp pay# Add a blog account to Apache group useradd-m-d/home/sftp/blog-g Apache blog# set 3 account password password passwd wwwpasswd blogpasswd pay
The account setup is complete.
The first step is to upgrade the OpenSSH version. Only 4.8P1 and above support chroot.
The latest version of the CentOS 5.4 source is 4.3, so you need to upgrade openssh.
Specify a new Source:
vim/etc/yum.repos.d/test.repo# Enter the following [Centalt]name=centalt Packages for Enterprise Linux 5-$basearchbaseurl =http:// centos.alt.ru/repository/centos/5/$basearch/enabled=0gpgcheck=0# Wq Save
To perform an upgrade:
Yum--enablerepo=centalt update-y openssh* openssl*# Restart service The sshd restart# re-see version ssh-v# openssh_5.8p1, OpenSSL 0.9.8e- Fips-rhel5 2008
After the upgrade is successful, set the Sshd_config. Restricts the user's root directory through chroot.
vim /etc/ssh/sshd_config# Note the original subsystem settings subsystem sftp /usr/ libexec/openssh/sftp-server# Enable internal-sftpsubsystem sftp internal-sftp# restrict the root directory of WWW users match user www chrootdirectory / home/sftp forcecommand internal-sftp# limit the root directory of blog and pay users match group sftp chrootdirectory %h forcecommand internal-sftp
After you complete this step, try to log in to SFTP:
SFTP [email protected] #或者ssh [email protected] #如果出现下面的错误信息, it may be the directory permissions settings error, continue to see the next #connection to abc.com closed by remote Host. #Connection Closed
To implement Chroot functionality, the setting of directory permissions is important . Otherwise can not log in, give the error hint also let a person can not touch the head, cannot check up. I wasted a lot of time on it.
2 points to follow in the directory permission settings:
Chrootdirectory set the directory permissions and all of its parent folder permissions, the owner and the group must be root;
Chrootdirectory set the directory permissions and all of its parent folder permissions, only the owner can have write permissions, that is, the maximum permissions can only be set to 755.
If the above 2 points are not followed, even if the directory belongs to only one user, all SFTP users may be affected.
Chown Root.root/home/sftp/home/sftp/homepage/home/sftp/blog/home/sftp/paychmod 755/home/sftp/home/sftp/homepage/ Home/sftp/blog/home/sftp/pay
Because the permissions set on the directory above are 755, all non-root users cannot write files to the directory. We need to set up subdirectories under the directory specified by chrootdirectory and reset the owner and permissions. Take the homepage directory as an example:
Mkdir/home/sftp/homepage/webchown Www.sftp/home/sftp/homepage/webchmod 775/home/sftp/homepage/web
In order to realize the permission requirement of the Web server and blog account to delete files, it is necessary to set umask, so that the file and directory permissions created by default are 775. Write the following content into the. BASHRC:
At this point, we have implemented all the required functions.
This article is from the "Dream to Reality" blog, please be sure to keep this source http://lookingdream.blog.51cto.com/5177800/1769233
Full use of SFTP instead of Ftp:sftp+openssh+chrootdirectory setup