How to configure ssh/sftp and set permissions under Linux operating system

Compared with FTP, SSH-based sftp service has better security (non-plaintext account and password transmission) and convenient permission management (limiting the user's active directory).

1. Open an sftp account so that users can only operate files through sftp but cannot ssh to the server

2. Limit the user's active directory so that the user can only be active in the specified directory, using the ChrootDirectory configuration of sftp

Determine the version

#Make sure the ssh version is higher than 4.8p1. Otherwise, it is usually higher than this version after upgrading.
ssh -V

Create new users and user groups

#Add user group sftp
groupadd sftp
#Add user specified home directory specified user group does not allow shell login
useradd -d /home/sftp -m -g sftp -s /bin/false sftp
#Set user password
passwd sftp

Active Directory

#Set the active directory you want to limit
mkdir -p /var/www/sftp
#Configure permissions. Note that if this directory is used for subsequent chroot active directory, the directory owner must be root! ! !
chown root.sftp /var/www/sftp

Basic ssh configuration

# Configuration file for ssh service
vi /etc/ssh/sshd_config

#Basic ssh remote login configuration
# Enable verification
PasswordAuthentication yes
#Disable empty password login
PermitEmptyPasswords no
# Enable remote login
PermitRootLogin yes

Now you can use ssh to remotely log in to the server

Configure sftp

#Here we use the system's built-in internal-sftp service to meet the needs
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Subsystem

Subsystem refers to the submodule of ssh. The one enabled here is the sftp module. We use the system's built-in internal-sftp to provide this service. In fact, after configuring this, you can log in using an account ssh or using the ftp client sftp.

If you want users to be able to log in to the server using sftp but not ssh, and want to limit the user's active directory, continue with the following configuration

# Restrictions on logged-in users
Match Group sftp
ChrootDirectory /var/www/sftp # You can also use %h to represent the user's home directory and %u to represent the user name
ForceCommand internal-sftp # Force the use of the system's built-in internal-sftp service so that users can only log in using ftp mode
AllowTcpForwarding no
X11Forwarding no

Match [User|Group] userName|groupName

Match [User|Group] sftp This is the permission limit configuration for the logged-in user. Match will take effect on the matched user or user group and is higher than the general configuration of ssh.

ChrootDirectory The user's active directory can be marked with %h. %u represents the user name. When the user matched by Match logs in, the root directory of the session will be switched to this directory. Two issues should be paid special attention to here.

1. All directories on the chroot path must be owned by root, with a maximum permission of 0755. This must be noted and complied with. So if you log in as a non-root user, we need to create a new directory under chroot that the logged-in user has permission to operate.

2. Once chroot is set, the root directory "/" of the corresponding user's session will be switched to this directory when logging in. If you use ssh instead of sftp protocol to log in, you will most likely be prompted:

/bin/bash: No such file or directory

This prompt is very correct. For the user logged in at this time, the root directory "/" in the session has been switched to the chroot directory you set. Unless your chroot is the system's "/" directory, there will be no bash command under chroot/bin at this time. This is similar to the -s /bin/false parameter set when adding a user. The initial command of the shell is /bin/false, so remote ssh login is naturally unavailable.

ForceCommand The initial command used when forcing a user to log in to a session. If this option is configured as above, the matched user can only log in using the sftp protocol and cannot log in using ssh.
This service allows sftp connections only.

After configuration is complete, restart the sshd service

service sshd restart

Notice:

1. Problems that may arise from chroot. Because chroot will switch the root directory of the session to this directory, ssh login may prompt an error message "/bin/bash: No such file or directory" because the path of this session will be chroot/bin/bash

2. ForceCommand is the initial command at the beginning of the session. If you specify internal-sftp, for example, you will be prompted with This service allows sftp connections only. This is just like the usermod -s /bin/false command. When the user logs in to the session, the /bin/bash command cannot be called, and naturally the ssh login to the server cannot be performed.

Summarize

The above is the method of configuring ssh/sftp and setting permissions under the Linux operating system introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!