Original Debian 8 opens SFTP service

See a Cloud CDN Incredibly is the use of FTP this early elimination of the Protocol, can not help some spit slot. FTP used to be the most important protocol on the Internet, but the long use of the process reflects a variety of shortcomings, is not suitable for re-use. One of the most deadly problems is the plaintext transfer of the user's password. It is recommended to use this CDN when it is best to have a long mind to turn off the FTP management method, directly using the back source transmission mode.

However, in some cases, it is not appropriate to use SVN, git, and other ways to transfer files (generally do not need version-managed binaries), the most appropriate choice is the FTP type of protocol. There are also many alternatives to FTP, such as SFTP, FTPs, and WebDAV. My personal best bet is WebDAV, but given that almost all Linux servers have SSH installed, using SFTP can save resources, without the need to open additional processes and ports. Next, the setup process for SFTP is recorded, and the system environment is based on Debian 8.

My requirement is this: set up an SFTP directory that can be uploaded/downloaded via sftp, while Nginx also needs to be able to read and write, so that I can upload/update the Web program, as well as download the Web server log.

The operation flow is as follows:

• Add an SFTP account

First set up the SFTP directory:

mkdir /var/sftp

Create users and user groups for SFTP

-G sftp-d/var/sftp-s/bin/false  sftppasswd  sftp# Set Password

• Restricting access to the SFTP service directory via chroot

Edit the SSH configuration file, set the Chroot directory, restrict sftp to his user directory (%h on behalf of the user directory), and disable other unwanted SSH permissions

nano/etc/ssh//usr/lib/openssh/sftp-server# Add the following new line subsystem SFTP internal-sftp# Limit the SFTP directory so that he can't see what should not be seen match Group sftp    %H    allowtcpforwarding no    x11forwarding no    Forcecommand Internal-sftp

To create an upload directory and set permissions, the owner of the Chrootdirectory directory and all its upper-level directories must be root, and the permissions cannot be greater than 755

cd/var/sftpmkdir  wwwchmod770  wwwchown  sftp: SFTP WWWCD. chmod 755 sftp chown root:root sftp

• Set the mask so that the external program can use the

The directories and file owners created during the SFTP upload process are fixed to sftp:sftp and the permissions default to 755, and other users can only read and write. Here we need to modify to be able to be read and written by the group members (of course, after understanding the principle you can also diagram, directly allow all users to read and write)

nano/etc/pam.d/sshd# Add session at the end of the file optional pam_umask.so umask=0007 # can also be 0002

Add user groups to Nginx users SFTP, I'm www-data.

Usermod-g sftp Www-data

Restore the default umask in the shell to avoid being overwritten by SFTP

nano/etc/022

To this, we have successfully set up the SFTP service, you can use a variety of popular FTP clients, such as FileZilla, FlashFXP easy upload/download files.

Original Debian 8 opens SFTP service