SSH sftp configuration and permissions settings for CentOS (process is complete) (SELinux is turned off to upload)

From the technical point of view, a few requirements: 1, from the security point of view, SFTP will be more secure a little more 2, online server to provide on-line services, users need to control, only let users in their home directory activity 3, users can only use SFTP, can not ssh to the machine to operate   Provide SFTP service, can use the system comes with INTERNAL-SFTP, can also use VSFTPD, here is not much demand, directly choose Internal-sftp.   Limit users only in their own home directory activities, here need to use to chroot,openssh 4.8P1 after support chroot, I now use CentOS 6.3, the OpenSSH is already 5.3p1, enough.   can enter: # ssh-v   To see the version of OpenSSH, if it is below 4.8P1, need to upgrade the installation itself, not specifically described here.   Assume that there is a group called SFTP, the users in this group can only use SFTP, cannot use SSH, and SFTP can only be active in their home directory after  1, create SFTP Group # Groupadd SFTP   2, Create an SFTP user with the home directory named mysftp# useradd-g sftp-s/bin/false mysftp# passwd mysftp 3, SFTP group assigned to/data/ Under SFTP, by username, create a new mysftp directory, and then specify Mysftp's home as/data/sftp/mysftp # mkdir-p/data/sftp/mysftp# usermod-d/data/ sftp/mysftp mysftp 4, Configuration sshd_config editor/etc/ssh/sshd_config # vim +132/etc/ssh/sshd_config   Find the following line and comment out the subsystem      sftp    /usr/libexec/openssh/sftp-server     Add the following lines subsystem       sftp    interNal-sftp  match Group sftp  chrootdirectory/data/sftp/%u  forcecommand     Internal-sftp  allowtcpforwarding No  x11forwarding no    explain the meaning of the added lines  subsystem        sftp    internal-sftp   This line specifies that the system comes with the internal-sftp  using the SFTP service Match Group SFTP   This line is used to match the SFTP group of users, if you want to match multiple groups, multiple groups with a comma split between   of course, you can also match the user match user mysftp so that you can match the user, Multiple usernames are also separated by commas, but we are more flexible and easy to match by group  chrootdirectory/data/sftp/%u   use Chroot to assign the user's root directory to/data/sftp/%u,%u on behalf of the user name, In this way users can only/data/sftp/%u activities, chroot meaning, can refer to here:http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/  Forcecommand    internal-sftp   Specify SFTP command  allowtcpforwarding no  x11forwarding no   These two lines, if you do not want the user can use port forwarding, add, otherwise delete  5, set chroot directory permissions # chown root:sftp/data/sftp/mysftp# chmod 755/data/sftp/mysftp   Incorrect directory permission settings will cause the "Fatal:bad ownership or modes for chroot directory XXXXXX" content   permissions setting in log to have two points: 1, by chrootdirectoryThe directory owner that the specified directory begins to go up to the root of the system can only be Root2, the directory specified by Chrootdirectory begins to go up to the system root and cannot have group write permission   so follow these two principles 1) we will/data/ The owner of the sftp/mysftp is set to root, all groups are set to SFTP2) we set the/DATA/SFTP/MYSFTP permission to 755, the owner Root has write permission, and all the group SFTP has no write permission  6, After setting up a directory that can be written after the SFTP user logs on, after restarting the SSHD service, the user mysftp is already able to log in, but the root should not be written after using chroot to specify the root directory, so create a new directory for mysftp to upload the file. This directory owner is mysftp, all groups are SFTP, the owner has write permissions, and all groups have no write permission  # mkdir/data/sftp/mysftp/upload  # chown mysftp:sftp/ Data/sftp/mysftp/upload  # chmod 755/data/sftp/mysftp/upload   7 Restart sshd Service  # service sshd Restart & nbsp;  here, Mysftp is already able to log in via the SFTP client and can upload files to the upload directory. If it is still not possible to upload files in this directory, prompt does not have permission to check whether SELinux is closed, you can use the following instructions to turn off SELinux Modify the/etc/selinux/config file selinux= "" as disabled, and then restart. or # Setenforce 0 

At first, I thought it was a permission issue that caused the file to be uploaded, even if you gave 777 permissions to the folder. Then simply shut down SELinux, and finally can upload.

Http://blog.sina.com.cn/s/blog_4fd50c3901018a0l.html

SSH sftp configuration and permissions settings for CentOS (process is complete) (SELinux is turned off to upload)