Using SFTP under CentOS to automatically generate FTP account for website, realize chroot function

<span id="Label3"></p><p><p><strong>background</strong><br>There is a system in your hand: you can create a new project (website) directly in the background, just enter the project name, access the domain name (level two) and some additional information to automatically generate a template Site. The general principle is: when submitting this information, the background will give the project a new directory, and some of the necessary files to copy the past, and then there will be a two-level domain name mapping file to achieve level two domain name Access. of course, the First-level domain name can be accessed, provided that the record is Completed.<br>previously, The single project was managed via a unified sftp account, and as the project increased, it would be difficult to find the appropriate directory, so now you want to automatically generate the corresponding SFTP account for one-to-one management when creating a new Project.</p></p> <p><p><strong>Process</strong><br>VSFTPD is the first choice, and I have tried this Implementation. Due to internal server architecture problems, IP address is a limitation, unable to implement VSFTPD access, asked the relevant people to give the same answer, so forget it.<br>After some understanding, found that SFTP is the only way left, then familiar with, practice, and ultimately solve the needs of Superiors.</p></p> <p><p>Because there is no need to install other Third-party software, only the CentOS system account and some directory permissions settings, the entire implementation process is not too complicated, but the problem of permissions is not so easy to get it done, there are some <strong>rules</strong> can not be violated, or failure.</p></p> <p><p>Suppose the directory structure is this:<br>/var/www/site1<br>/var/www/site2</p></p> <p><p>The corresponding system account is site1 and site2, using passwd to set the corresponding password, site1 and site2 home directory is/var/www/site1 and/var/www/site2</p></p> <p><p>There are two restrictions here:</p></p> <ul> <ul> <li>Directory permissions set from Site1 and site2, and all parent folder permissions, must be root for the master and owner group;</li> <li>The directory permissions set from Site1 and Site2 and all of their parent folder permissions, only the master can have write permissions, that is, the maximum permissions can only be set to 755.</li> </ul> </ul> <p><p>If we put the website files under site1 and site2, there is no authority to change, which is determined by the internal implementation of sftp, we can only abide by. so, The solution is, we create a new web directory under Site1 and site2, the permissions are 775, the owner is site1 and Site2 respectively, the group is still Root. To enable Apache to parse properly, the Apache Service's run group needs to be set to Root.</p></p> <p><p>After the permission settings are complete, modify the Sshd_config settings:</p></p> <pre class="brush: shell; auto-links: false;"><pre class="brush: shell; auto-links: false;">vim/etc/ssh/sshd_config# Note the original subsystem settings Subsystem SFTP /usr/libexec/openssh/sftp-server# Enable Internal-sftpsubsystem sftp internal-sftp# limit www user root directory match user Apache chrootdirectory/var/www Forcecommand internal-sftp# Limit the root of the blog and pay users match Group root chrootdirectory%h Forcecommand internal-sftp</pre></pre> <p><p>In addition, the permissions for other directories generated under the Web directory must also be 775. Can be implemented by modifying Umask for 0002来.</p></p> <p><p>finally, a complete SFTP program was Born.</p></p> <p><p>Ps:<br>Upgrade the version of Openssh. Only 4.8P1 and above support Chroot.<br>The latest version of the CentOS 5.4 source is 4.3, so you need to upgrade Openssh.<br>You can use the SSH-V command to see if an upgrade is required and the upgrade method searches Itself.</p></p><p><p>Using SFTP under CentOS to automatically generate FTP account for website, realize chroot function</p></p></span>