SUSE Linux SFTP Server Configuration

Source: Internet
Author: User

When a company application system is docked with a partner, the other party needs to use the app to upload the downloaded files to our company server via SFTP free password entry. Other partners were previously FTP-switched files.

Looked up some information on the Internet. Most of the SFTP based on the Centeros Redhat configuration, the following sftp was configured on SuSE 11.1 yesterday, with a special record memo.

1. Achieve the goal:

(1) In SUSE 11.1 environment, SFTP is password-free access via RSA key pairing

(2) Restrict SFTP users to access only under their own root directory


2.SFTP Service Configuration

SFTP Service multiplexing SSH service, SFTP configuration is modified/etc/ssh/sshd_config configuration

The "a" note below these several

#Subsystem Sftp/usr/lib64/ssh/sftp-server

The following several must be commented otherwise sshd Qibulai, temporarily do not know the following are what to do with the note after no exception

#This enables accepting locale enviroment variables lc_* LANG, see Sshd_config (5).

#AcceptEnv LANG lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages

#AcceptEnv lc_paper lc_name lc_address lc_telephone lc_measurement

#AcceptEnv lc_identification Lc_all


"B" Add the following several

Subsystem sftp internal-sftp

Match Group SFTP # specifies that the following lines match only users of the SFTP user group

Chrootdirectory%h # Specifies the path to the chroot environment after user authentication %h refers to the user root directory

Forcecommand internal-sftp # Perform internal sftp , and ignore any ~/.SSH/RC commands in the file

X11forwarding No

Allowtcpforwarding No


"C" added support for RSA key authentication

Authorizedkeysfile. Ssh/authorized_keys #此参数用于说明公钥文件位置, refers to the user root directory. SSH folder Authorized_keys file as the SRA public key

passwordauthentication no #设置成no强制使用密钥访问, not user name and password, if set to Yes indicates that both methods are accessible, and the general recommendation is to use Yes


At this point, the SFTP server-side configuration is complete and then the SSHD service is restarted


Add SFTP users to the 3.SFTP server

"A"Rman:/usr/sftp-dir # useradd-g sftp-d/usr/sftp-dir/test1-s/sbin/nologin test1

-s/sbin/nologin prohibits test1 users from logging into the operating system

"B"Rman:/usr/sftp-dir # Mkdir/usr/sftp-dir/test1//Use the root user to create a directory for the Test1 account

Check test1 directory permissions, must be root user 755 permissions

Rman:/usr/sftp-dir # LL

Drwxr-xr-x 2 root root 4096 Oct 09:25 test1

Rman:/usr/sftp-dir #

"C" in the user directory to build upload download directory

Rman:/usr/sftp-dir/test1 # mkdir Upload

Rman:/usr/sftp-dir/test1 # mkdir Download

Rman:/usr/sftp-dir/test1 # chown Test1. upload///upload directory belongs to the main test1

Rman:/usr/sftp-dir/test1 # LL

Total 8

Drwxr-xr-x 2 root root 4096 Oct 09:40 download //Tested download folder must have 755 permissions

Drwxr-xr-x 2 test1 sftp 4096 Oct 09:40 upload


4. The client server makes the SRA key and uploads it to the target server

"A" making RSA Certificate

TEST-LVM:~/.SSH # ssh-keygen-t RSA

Generating public/private RSA key pair.

Enter file in which to save the key (/ROOT/.SSH/ID_RSA):

Enter passphrase (empty for no passphrase): // password-free code here to enter directly

Enter same passphrase again: // password-free code to enter directly here

Your identification has been saved In/root/.ssh/id_rsa.

Your public key has been saved in/root/.ssh/id_rsa.pub.

The key fingerprint is:

f2:25:e6:5a:3d:2c:4f:d2:19:bf:3c:46:52:15:4f:db [Email PROTECTED]EST-LVM

The key ' s Randomart image is:

+--[RSA 2048]----+

| ...|

| . oo|

| . . e|

|    . |

| .     S O. |

|    = *.+. |

|    * Bo. |

|   o = oo. |

|   . .. O. |

+-----------------+

"B" uploads the RSA public key (X.PUB) to the target server sftp user. SSH directory
TEST-LVM:~/.SSH # ls

Id_rsa id_rsa.pub

TEST-LVM:~/.SSH # SCP id_rsa.pub [email protected]:/usr/sftp-dir/test1/.ssh


"C" target server. Modify RSA public key file name under SSH directory

The certificate named Authorized_keys was specified at the time of the target server sshd_config

Authorizedkeysfile.ssh/authorized_keys

Therefore, you need to modify the public key name

RMAN:/USR/SFTP-DIR/TEST1/.SSH # ls

Id_rsa.pub

RMAN:/USR/SFTP-DIR/TEST1/.SSH # mv Id_rsa.pub Authorized_keys

RMAN:/USR/SFTP-DIR/TEST1/.SSH # LL

Total 4

-rw-r--r--1 root root 395 Oct 10:23 Authorized_keys

RMAN:/USR/SFTP-DIR/TEST1/.SSH #

At this point, SFTP RSA public key pairing is complete


5. Client Server Testing

Use SFTP [email protected] login do not need to enter a password to indicate success

TEST-LVM:~/.SSH # SFTP [email protected]

Connecting to 172.22.2.228 ...

Sftp> ls

Download upload

Sftp>

Failed to switch directories, only in the user root directory

Sftp> Cd/home

Couldn ' t canonicalise:no such file or directory

Sftp>


6. Points to note

The difference between SUSE Linux and others

"A" configuration sshd_config, be sure to note the following several, otherwise sshd has a service Qibulai

#This enables accepting locale enviroment variables lc_* LANG, see Sshd_config (5).

#AcceptEnv LANG lc_ctype lc_numeric lc_time lc_collate lc_monetary lc_messages

#AcceptEnv lc_paper lc_name lc_address lc_telephone lc_measurement

#AcceptEnv lc_identification Lc_all


"B" Configure the download folder when the permissions must be as follows, or use the root user in the download folder files, SFTP users can not see, on the SuSE 11.1 64bit repeatedly tested, maybe a bug

Rman:/usr/sftp-dir/test1 # LL

Total 8

drwxr-xr-x 2 root root 4096 Oct 09:40 download

Drwxr-xr-x 2 test1 sftp 4096 Oct 09:40 upload



This article is from "Morning Song cattle" blog, please be sure to keep this source http://168ok8.blog.51cto.com/73394/1565367

SUSE Linux SFTP Server Configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.