Reset owner and Permissions

Source: Internet
Author: User
Tags openssl version

Sftp Restricts user access to the methods described below, with the need for friends to refer to.

First step: View OpenSSH software Edition

The code is as follows: [[email protected] ~]# Rpm-qa | grep ssh
Openssh-4.3p2-36.el5
Openssh-clients-4.3p2-36.el5
Openssh-server-4.3p2-36.el5
Openssh-askpass-4.3p2-36.el5
Or:
[Email protected] ~]# ssh-v
OPENSSH_4.3P2, OpenSSL 0.9.8e-fips-rhel5 Jul 2008

Discover operating system OpenSSH software is 4.3P2, below 4.8P1 version, so need to do upgrade.

Step two: Download the latest OpenSSH software
OpenSSH is free and can be downloaded on the official website: www.openssh.com
The current maximum version is OpenSSH6.0 and we can download the version: openssh-6.0p1.tar.gz

When downloading, we need to take a look at the official installation Guidance document installation instructions, which has the precautions and installation instructions for installing this version, it is best to read it carefully.

Step three: Confirm OpenSSH Software Installation conditions
As mentioned in the official installation guidance document, the installation of OpenSSH6.0 requires two conditions:
You'll need working installations of Zlib and OpenSSL.
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions has problems):
http://www.gzip.org/zlib/

OpenSSL 0.9.6 or greater:
http://www.openssl.org/

As noted above, the minimum version of the two software zlib and OpenSSL on which the OpenSSH6.0 installation depends, and if the software version of the server does not meet the requirements, upgrade the two software first.

First we need to confirm the version of Zlib and OpenSSL software on the server:

The code is as follows:

[Email protected] ~]# Rpm-qa | Grep-i zlib
Zlib-devel-1.2.3-3
Perl-compress-zlib-1.42-1.fc6
Zlib-1.2.3-3
perl-io-zlib-1.04-4.2.1

[Email protected] ~]# Rpm-qa | Grep-i OpenSSL
pyopenssl-0.6-1.p24.7.2.2
Openssl-devel-0.9.8e-12.el5
Openssl-0.9.8e-12.el5

As you can see, the version of Zlib is 1.42, and the OpenSSL version is 0.9.8, which meets the requirements for OpenSSH6.0 installation.

Fourth step: Uninstalling the OpenSSH software
Before installing, there are several tasks to complete:

(1) Stop sshd Service
[[Email protected] ~]# service sshd stop
stopping sshd: [OK]

(2) Backing up sshd files
Note: Before uninstalling, you need to make a backup of the/etc/init.d/sshd file, after the installation is completed, you need to copy the backup sshd files to the/etc/init.d/directory, so that you can continue to use the service sshd after the upgrade is complete start/stop /restart Management of the sshd service, otherwise it will not be available.
[Email protected] ~]# cp/etc/init.d/sshd/root/sshd

(3) Uninstalling the OpenSSH software that already exists on the server
Uninstall OpenSSH, Rpm-qa name the RPM package that needs to be unloaded, and then uninstall it with the RPM-E command:

Inquire:
[Email protected] ~]# Rpm-qa | Grep-i OpenSSH
Openssh-4.3p2-36.el5
Openssh-clients-4.3p2-36.el5
Openssh-server-4.3p2-36.el5
Openssh-askpass-4.3p2-36.el5
Unloading:
[Email protected] ~]# rpm-e openssh-4.3p2-36.el5-deps
[Email protected] ~]# rpm-e openssh-clients-4.3p2-36.el5-deps
[Email protected] ~]# rpm-e openssh-server-4.3p2-36.el5-deps
[Email protected] ~]# rpm-e openssh-askpass-4.3p2-36.el5-deps

(4) Delete the ssh file under the/etc/ssh/directory
rm-rf/etc/ssh/*

Fifth Step: Install OpenSSH software
Unzip the downloaded package openssh-6.0p1.tar.gz
[Email protected] ~]# TAR-ZXVF openssh-6.0p1.tar.gz

Install OpenSSH software:
Go to the extracted folder and execute the following compile and install commands in order:
[Email protected] ~]#./configure–prefix=/usr–sysconfdir=/etc/ssh–with-pam–with-md5-passwords–mandir=/usr/share/ Mans
[[email protected] ~]# make
[[email protected] ~]# make install

Once execution is complete, you can use SSH-V to name the version of OpenSSH to verify the installation results:
[Email protected] ~]# ssh-v
OPENSSH_6.0P1, OpenSSL 0.9.8e-fips-rhel5 Jul 2008
You can see that the version has become 6.0p1, stating that there is no problem with the installation.

Next, restore the sshd file and copy the backed-up sshd file to the/etc/init.d/directory:
[Email protected] ~]# cp/root/sshd/etc/init.d/sshd

To test the start and stop of the SSHD service:
[[Email protected] ~]# service sshd restart
stopping sshd: [OK]
Starting sshd: [OK]
OK, here, OpenSSH's upgrade is done.

Attention:
This upgrade completes, after the server shuts down, the SSHD service does not start automatically, in order to enable the SSHD service to start automatically at boot, we need to execute the following command:
[Email protected] ~]# chkconfig--add sshd
[[email protected] ~]# chkconfig--level 123456 sshd on
This will enable the SSHD service to start automatically after booting.

Sixth step: Configure access rights for SFTP service users
(1) Create the main root directory of the SFTP user
[Email protected] ~]# mkdir-p/home/sftp
[Email protected] ~]# chmod-r 755/home/sftp

(2) Create an SFTP user group and an SFTP user
[Email protected] ~]# Groupadd SFTP
[Email protected] ~]# useradd-g sftp-d/home/sftp/blog Blog
[[email protected] ~]# passwd Blog

(3) Permission settings
Set the/etc/ssh/sshd_config configuration file to restrict the user's root directory through chroot.
[Email protected] ~]# Vi/etc/ssh/sshd_config
# Override default of No subsystems
#注释掉原来的Subsystem设置
#Subsystem Sftp/usr/libexec/sftp-server
#启用internal-sftp
Subsystem sftp internal-sftp

# Example of overriding settings on a per-user basis
#Match User Anoncvs
# x11forwarding No
# allowtcpforwarding No
# forcecommand CVS Server
#限制blog用户的根目录
Match User Pay
chrootdirectory/home/sftp/blog/
X11forwarding No
Allowtcpforwarding No
Forcecommand internal-sftp
Save exit and restart the SSHD service:
[[Email protected] ~]# service sshd restart

(4) Test SFTP permission control
Use blog users to try to login sftp, found unable to log in, the hints given are also very difficult to understand, what reason?
Originally to use the Chroot function to implement the user root control, directory permissions settings is very important, otherwise you will not be able to log in.

2 points to follow in the directory permission settings:
Chrootdirectory set the directory permissions and all of its parent folder permissions, the owner and the group must be root;
Chrootdirectory set the directory permissions and all of its parent folder permissions, only the owner can have write permissions, that is, the maximum permissions can only be set to 755.
If the above 2 points are not followed, even if the directory belongs to only one user, all SFTP users may be affected.

To set the owner and permission of a directory:
[Email protected] ~]# chown Root:root/home/sftp/home/sftp/blog
[Email protected] ~]# chmod 755/home/sftp/home/sftp/blog

Because the permissions set on the directory above are 755, all non-root users cannot write files to the directory. We need to set up subdirectories under the directory specified by chrootdirectory and reset the owner and permissions. Take the blog directory as an example:
[Email protected] ~]# Mkdir/home/sftp/blog/web
[Email protected] ~]# chown Blog:sftp/home/sftp/blog/web
[Email protected] ~]# chown 775/home/sftp/blog/web

After setting up, we re-login with the blog user sftp, found that this can be normal login, and can access the root directory control under the/home/sftp/blog/, to meet our requirements.

Add:
Above is to set the access rights of an SFTP user, we can use the following configuration to set the user access rights of an SFTP group:
Match Group SFTP
chrootdirectory/home/sftp/
X11forwarding No
Allowtcpforwarding No
Forcecommand internal-sftp

      • This article from: Hobby Linux Technology Network
      • This article link: http://www.ahlinux.com/start/cmd/2686.html

Reset owner and Permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.