SFTP and FTP are different protocols, SFTP is an SSH-contained protocol, and as long as the sshd server is started, it is available, and it does not require an FTP server to start itself.
1. View OpenSSH software version, want to SFTP service users can only access a specific file directory, version requires more than 4.8
The code is as follows:
[Root@localhost ftp]# Rpm-qa | grep OpenSSH
Openssh-server-5.3p1-81.el6_3.x86_64
Openssh-5.3p1-81.el6_3.x86_64
Openssh-clients-5.3p1-81.el6_3.x86_64
2. New users, restricting users to access only through SFTP
The code is as follows:
[Root@localhost ftp]# useradd-m-d/opt/ftp/dave-s/sbin/nologin Dave
3. Restrict users to enter the home directory through SFTP login, modify/etc/ssh/sshd_config file
The code is as follows:
[Root@localhost ftp]# Vim/etc/ssh/sshd_config
#Subsystem Sftp/usr/libexec/openssh/sftp-server
subsystem SFTP INTERNAL-SFTP
Match User Dave
Chrootdirectory/opt/ftp/dave
X11forwarding No
Allowtcpforwarding No
Forcecommand internal-sftp
Reboot SSH
4. Test access
The code is as follows:
root@10.1.1.200:test# sftp-oport=22 dave@10.1.6.175
Connecting to 10.1.6.175 ...
dave@10.1.6.175 ' s Password:
Read from remote host 10.1.6.175:connection reset by peer
Couldn ' t read packet:connection reset by peer
Find connection not on, view log
The code is as follows:
[Root@localhost ftp]# Tail/var/log/messages
6 11:41:41 localhost sshd[4907]: Fatal:bad ownership or modes for chroot directory "/opt/ftp/dave"
6 11:41:41 localhost sshd[4905]: Pam_unix (sshd:session): Session closed for user Dave
Workaround:
To follow 2 points on directory permission settings:
Chrootdirectory set the directory permissions and all the parent folder permissions, the owner and the group must be root;
Chrootdirectory set the directory permissions and all the parent folder permissions, only the owner can have write permission, the maximum permissions can be set to 755.
If you cannot follow these 2 points, even if the directory belongs to only one user, it may affect all sftp users.
The code is as follows:
[Root@localhost ftp]# LL
Total 4
Drwxr-xr-x 3 Dave Dave 4096 5 13:06 Dave
[Root@localhost ftp]# chown root:root Dave
[Root@localhost ftp]# chmod 755 Dave
[Root@localhost ftp]# LL
Total 4
Drwxr-xr-x 3 root root 4096 5 13:06 Dave
And then in the test pass
The code is as follows:
root@10.1.1.200:test# sftp-oport=22 dave@10.1.6.175
Connecting to 10.1.6.175 ...
dave@10.1.6.175 ' s Password:
Sftp> ls
Test
Sftp> CD ...
Sftp> ls
Test
Sftp> CD Test
Sftp> ls
1.txt
Sftp> Get 1.txt
Fetching/test/1.txt to 1.txt
/test/1.txt
You can see that the user has been restricted from the home directory and the user cannot log on to the machine.