Key mode login for SFTP configuration in Linux system

Source: Internet
Author: User
Tags auth chmod mkdir parent directory ssh

Because the vsftp is transmitted in clear text, the username password can be obtained by grasping the packet, for the sake of security, it is necessary to use SFTP, lock the directory and not allow SFTP user to log to the server. Because SFTP uses the SSH protocol, you need to ensure that users can only use SFTP, not ssh to the machine to operate, and use the key login, not 22 ports.

1. Create SFTP Service user Group, create SFTP service root directory

Groupadd SFTP
#此目录及上级目录的所有者必须为root, permissions are not higher than 755, the group of this directory is best set to SFTP
Mkdir/data/sftp
Chown-r root:sftp/data/sftp
Chmod-r 0755/data/sftp

2. Modify SSHD configuration file

CP/ETC/SSH/SSHD_CONFIG,_BK} #备份配置文件
Sed-i ' s@ #Port 22@port 22@ '/etc/ssh/sshd_config #保证原来22端口可以
Vi/etc/ssh/sshd_config
Comment out the line code in the/etc/ssh/sshd_config file:
subsystem Sftp/usr/libexec/openssh/sftp-server
Add the following code:
Port 2222
subsystem sftp internal-sftp-l info-f AUTH
Match Group SFTP
Chrootdirectory/data/sftp/%u
X11forwarding No
Allowtcpforwarding No
Forcecommand internal-sftp-l info-f AUTH
All users in the user group SFTP can use the SFTP service, after using the SFTP service connection, the accessible directory is/data/sftp/username
As an example:
Test is a user of a sftp group that can only see the contents of the/data/sftp/test directory after it connects to the server via SFTP
Test2 is also a user of a sftp group that can only see the contents of the/data/sftp/test2 directory after connecting to the server via SFTP

3. Create SFTP User

#此例将创建一个名称为test的sftp帐号
#创建test sftp Home Directory: The owner of the test directory must be root, the group is best set to SFTP, the permissions are not higher than 755
Mkdir/data/sftp/test
chmod 0755/data/sftp/test
Chown Root:sftp/data/sftp/test
Useradd-g sftp-s/sbin/nologin Test #添加用户, parameter-s/sbin/nologin prevents users from logging on through the command line
Create test user key pair:
# MKDIR/HOME/TEST/.SSH
# ssh-keygen-t RSA
# Cp/root/.ssh/id_rsa.pub/home/test/.ssh/authorized_keys
# Chown-r Test.sftp/home/test
Create a upload directory to write in the test directory
Mkdir/data/sftp/test/upload
Chown-r Test:sftp/data/sftp/test/upload
Note: The owner of the SFTP service root must be root and the permission cannot exceed 755 (the parent directory must also follow this rule), and the SFTP user directory owner must also be root and the maximum permissions cannot exceed 755.

4. Test SFTP

Service sshd Restart
Test user key Login to the following figure:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.