如果想只开放一个sftp服务器给用户,用openssh 5.0以上的版本很容易做到
openssh 新版自带一个自己实现的sftp server
internal-sftp
升级新版以后只需要:
Subsystem sftp internal-sftp
Match User sftpuser
ChrootDirectory /home/sftpuser
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
chown root.root /home/sftpuser
key验证可以正常放在/home/sftpuser/.ssh 里面即可。
这样就可以实现chroot和只允许sftp。
如果只是要chroot的话,要使用户可以登录,必须在/home/sftpuser/下面准备一些文件:
The ChrootDirectory must contain the necessary files and directories to support the users’ session. For an interactive session this
requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and
tty(4) devices. For file transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp
server is used (see Subsystem for details).
Leave a Reply