公司基于安全考虑,要求给用户SFTP,SCP权限可以上传相关文件到指定目录,但不能SSH登录,考虑到RSSH也是个解决方案,但有点麻烦,最后找到了SCPONLY
直接说下配置过程,
如果你的系统是CENTOS,那直接用这个配置
1.wget -c http://nchc.dl.sourceforge.net/s … nly/scponly-4.8.tgz #scponly 支持的软件有scp、sfp、rsync、subversion、gftp等客户端 2. ./configure –prefix=/usr/local/scponly –enable-chrooted-binary –enable-sftp-logging-compat –enable-scp-compat –enable-passwd-compat 3. make && make install #安装配置 4.echo /usr/local/scponly/sbin/scponlyc >> /etc/shells 5.make jail #建立chroot用户、目录及上传文件夹, 根据提示输入 然后我们要写一个脚本 #vi limit_scp.sh #!/bin/bash cp /lib64/ld-linux-x86-64.so.* in /home/$1/lib64/ cp /lib64/libnss_files.so.2 /home/$1/usr/lib64/ ldconfig -r /home/$1/ cp /etc/group /home/$1/etc/ mkdir /home/$1/dev mknod /home/$1/dev/null c 1 3 chmod 666 /home/$1/dev/null cat > /etc/sysconfig/selinux << EOF SELINUX=disabled SELINUXTYPE=targeted EOF exit 0 6.#sh +x limit_scp.sh username #username 是jail时 我们设置的 经过以上步骤就完成了对SCP/SFTP上传目录做出了限制。 好了,可以直接到我们的测试环节了如果你的系统是UBUNTU,那就要注意版本了,我的是Ubuntu 12.04.1 LTS
#wget http://ncu.dl.sourceforge.net/project/scponly/scponly/scponly-4.8/scponly-4.8.tgz #tar -zxvf scponly-4.8.tgz #./configure -prefix=/usr/local/scponly -enable-chrooted-binary -enable-sftp-logging-compat - enable-scp-compat -enable-passwd-compat # makegcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/scponly/etc/scponly/debuglevel"'
-o scponly.o -c scponly.c
scponly.c: In function ‘main’:
scponly.c:226:9: warning: ignoring return value of ‘fscanf’, declared with attribute
warn_unused_result [-Wunused-result]
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/scponly/etc/scponly/debuglevel"'
-o helper.o -c helper.c
helper.c: In function ‘check_dangerous_args’:
helper.c:233:6: error: #elif with no expression
make: *** [helper.o] Error 1
把第 233 行
#elif
改成
#else
再重新make
-en Username to install [scponly]
mytest #要建的用户
-en home directory you wish to set for this user [/home/usertest]
#用户的目录
-en name of the writeable subdirectory [incoming]
www #用户上传的目录
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for usertest:
Enter new UNIX password:
root@ubuntu:/tmp/scponly-4.8#mkdir /home/usertest/dev root@ubuntu:/tmp/scponly-4.8#cp -rp /dev/null /home/usertest/dev root@ubuntu:/tmp/scponly-4.8#mkdir /home/usertest/lib64/ root@ubuntu:/tmp/scponly-4.8#cp /lib64/ld-linux-x86-64.so.2 /home/usertest/lib64/ root@ubuntu:/tmp/scponly-4.8#cp /lib/x86_64-linux-gnu/libnss_* -av /home/usertest/lib注意:如果没有拷贝lib,就报错,类似:
scponly unknown user 1005 lost connection
好了,我们测试下
SSH
root@ubuntu:/home/mygod# ssh usertest@18.92.185.2 The authenticity of host '18.92.185.2 (18.92.185.2)' can't be established. ECDSA key fingerprint is c1:c2:6a:7a:68:c8:e5:a6:87:f4:9b:95:d5:fd:ff:09. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '18.92.185.2' (ECDSA) to the list of known hosts. usertest@18.92.185.2's password: Welcome to aliyun Elastic Compute Service! The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue May 5 16:57:18 2015 from 183.11.156.185 Connection to 18.92.185.2 closed.SFTP
root@ubuntu:/home/mygod# sftp usertest@18.92.185.2 usertest@18.92.185.2's password: Connected to 18.92.185.2. sftp> ls bin dev etc lib lib64 usr www sftp> cd / sftp> ls bin dev etc lib lib64 usr www sftp> cd /root Couldn't canonicalise: No such file or directory sftp>SCP
root@ubuntu:/tmp# scp a.txt usertest@18.92.185.2:www usertest@18.92.185.2's password: a.txt 100% 4 0.0KB/s 00:00验证下目录锁定
root@ubuntu:/tmp# scp usertest@18.92.185.2:/etc/group ./ usertest@18.92.185.2's password: scp: /etc/group: No such file or directory