Deployment Reinforcement of CentOS6u9 sftp Private Account

Simple description:

Create a system user dedicated to sftp
 The user cannot shell login and can only be used as sftp login
 The user cannot switch to a directory outside his or her home directory
 Unlimited sftp functionality for other normally added users and directory switching rights after login

Service-side deployment:

# Create root directory for sftp users
mkdir /var/ftp
chmod 755 /var/ftp

# Create a user sftp dedicated to sftp transfer files
# Home directory in/var/ftp/sftp
# Set that the user cannot log on
useradd -m -d /var/ftp/sftp -s /sbin/nologin sftp
# The password used for sftp file transfer is sftp
echo sftp|passwd --stdin sftp
# Note that you cannot use-p to set your password when using Radd

# Change the sshd_config configuration file and restart the sshd service
sed -i 's/^Subsystem.*sftp.*$/# &/g' /etc/ssh/sshd_config
cat >>/etc/ssh/sshd_config<<EOF
Subsystem sftp internal-sftp
Match User sftp
    ChrootDirectory /var/ftp
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
# Note here that it is best to append this configuration to the end of the configuration file without appending other non-sftp configuration items later
# Other non-sftp configurations will also be forced to resolve to SFTP configurations, causing configuration problems
/etc/init.d/sshd restart

Directory permission analysis:

The root directory of sftp is/var/ftp, belongs to root user, permission 755
 That is, the sftp user has view and access to its root directory, but no write access
 Sftp's home directory is/var/ftp/sftp, with full permissions
 Directory/var/ftp is equivalent to/home, directory/var/ftp/sftp is equivalent to/home/sftp
 Lock directory switch inside / home, cannot do root jump

Test Use:

# There is no limit to other users
sftp -oPort=22 root@

# Logon restrictions and root partition jump restrictions for new sftp users
sftp -oPort=22 sftp@

# You must enter your password interactively or configure ssh Secret Login to use sftp
# Non-interactive file transfer can be scripted using lftp
# For example, a simple / var/ftp/sftp script that uploads local/tmp/test.txt to a remote host is as follows:
yum -y install lftp
touch /tmp/test.txt
lftp -u sftp,sftp sftp://<<EOF
cd /sftp
put /tmp/test.txt

User added:

# If the user to be added sftp login system user
# Then you need to add users, add configurations in sshd_config again, and restart the sshd service
# You can also match based on user groups:
useradd -g test,sftp -m -d /var/ftp/test -s /sbin/nologin test
cat >>/etc/ssh/sshd_config<<EOF
Match Group sftp
     ChrootDirectory /var/%u
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp
/etc/init.d/sshd restart


Tags: sftp ftp ssh shell

Posted on Fri, 06 Mar 2020 11:14:41 -0500 by nexgen_x