Purpose:
Create a user for a server who can only use sftp and restrict the directory to a certain subdirectory. For later convenience, set up a user group and then add users to it.
Steps:
Create users and user groups
First of all, it must be a user, and in order to restrict his login, it needs to be set to nologin. After trying this parameter, you can restrict it. (And it should be noted that /sbin/nologin needs to be added to the allowed shell types)
Add shell type (if there is one, no need to add)
sudo vim /etc/shells
Create user group and sftp user
-g sets the user group, -d sets the login path, see the novice tutorial for details
sudo groupadd sftpUser sudo useradd -d /home/sftpUser -s /sbin/nologin -g sftpUser tyyh sudo passwd tyyh # Change password
Modify sshd_config
sftp is a submodule of ssh, and parameters need to be modified in it. I use cp for backup.
Parameter explanation:
Match User tyyh: This line of configuration is used to match users with the user name “tyyh”. If you want to match multiple users, you can use commas to separate different usernames. Or directly Match Group
“ForceCommand internal-sftp” is an OpenSSH (Open Secure Shell Protocol) configuration option. It is used to restrict users who access the server through an SSH connection to only file transfers using SFTP (SSH File Transfer Protocol) and not to execute any other commands.
ChrootDirectory /home/sftpUser: This line of configuration uses chroot to limit the root directory of the specified user to /home/sftpUser.
X11Forwarding no: This line of configuration prohibits users from using the X11 forwarding function, which means that users cannot open graphical interface applications in an SFTP session.
AllowTcpForwarding no: This line of configuration prohibits users from TCP port forwarding. In this way, users cannot perform port forwarding operations on the server through SFTP sessions.
cd /etc/ssh sudo cp -p sshd_config sshd_configbak1018 sudo vim sshd_config ---------------------------- Comments: #Subsystem sftp /usr/libexec/openssh/sftp-server and add: Subsystem sftp internal-sftp #Specify to use the sftp service and use the internal-sftp that comes with the system. If not added, users cannot log in through sftp. And add the following parameters at the end of the file, of which special attention should be paid to (the directory using chrootDirectory needs to be set to the root user group permissions, and the order of this parameter is very important, otherwise the configuration cannot be modified, and the following one some parameters conflict) Match User tyyh ChrootDirectory /home/sftpUser ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Create a corresponding directory for this user group
cd /home mkdir sftpUser sudo chown -R root:root ./sftpUser/ sudo chmod -R 755 ./sftpUser/ cd sftpUser/ mkdir fileStore sudo chown tyyh:sftpUser fileStore/ sudo chmod 777 fileStore/
Restart ssh service
service sshd restart
Successful result
Configuration modification successful:
sftp path:
View sftp service log
Check syslogfacility to get our specific log path, which is probably in /var/log/%syslogfacility
For example, my log is at the path:/var/log/authpriv.log
Summary
Especially the permissions issue has stuck with me for a long time. I didn’t expect that ChrootDirectory in sshd_config requires root permissions for normal use, otherwise both ssh and sftp will report errors. You still need to pay more attention to Linux permissions.
Encountered error troubleshooting process
After modifying the configuration, I found an error and failed to modify the configuration:
Restarting sshd (via systemctl): Job for sshd.service failed because the control process exited with error code.
Check the status according to the error reporting guidelines:
After querying the Internet and getting the results, you can modify the configuration normally after modifying and adding the location:
Then rediscover the problem:
After completing the configuration, there was a problem with the user’s ssh and sftp, so we checked the problems one by one:
Change the shell type to normal and delete the configuration of the user group in the sshd configuration file:
You can log in normally, but there are no restrictions
edit
Change shell to nologin:
There is no change, you can still log in via sftp, and you can confirm that the configuration parameters in the configuration are incorrect. Tested to get all visible files:
I found that I cannot log in using ssh, so after setting nologin, the user cannot log in using ssh?
It can be used normally with the addition of parameters:
Match User tyyh
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand internal-sftp
I found that after adding the setting directory, I could not log in:
After getting the root cause of the error, it seems that there should be a problem with permission settings, resulting in no permission to enter?
Then I discovered that it was because I originally set it to the current user’s directory for the convenience of entering this directory. Now I set it to root:root to get the correct result:
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. Cloud native entry-level skills treeHomepageOverview 16666 people are learning the system