公司基于安全考虑,要求给用户SFTP,SCP权限可以上传相关文件到指定目录,但不能SSH登录,考虑到RSSH也是个解决方案,但有点麻烦,最后找到了SCPONLY
直接说下配置过程,
如果你的系统是CENTOS,那直接用这个配置
1.wget-chttp://nchc.dl.sourceforge.net/s…nly/scponly-4.8.tgz#scponly支持的软件有scp、sfp、rsync、subversion、gftp等客户端2../configure–prefix=/usr/local/scponly–enable-chrooted-binary–enable-sftp-logging-compat–enable-scp-compat–enable-passwd-compat3.make makeinstall#安装配置4.echo/usr/local/scponly/sbin/scponlyc /etc/shells5.makejail#建立chroot用户、目录及上传文件夹,根据提示输入然后我们要写一个脚本#vilimit_scp.sh#!/bin/bashcp/lib64/ld-linux-x86-64.so.*in/home/$1/lib64/cp/lib64/libnss_files.so.2/home/$1/usr/lib64/ldconfig-r/home/$1/cp/etc/group/home/$1/etc/mkdir/home/$1/devmknod/home/$1/dev/nullc13chmod666/home/$1/dev/nullcat /etc/sysconfig/selinux EOFSELINUX=disabledSELINUXTYPE=targetedexit06.#sh+xlimit_scp.shusername#username是jail时我们设置的经过以上步骤就完成了对SCP/SFTP上传目录做出了限制。好了,可以直接到我们的测试环节了
如果你的系统是UBUNTU,那就要注意版本了,我的是Ubuntu 12.04.1 LTS
#wgethttp://ncu.dl.sourceforge.net/project/scponly/scponly/scponly-4.8/scponly-4.8.tgz#tar-zxvfscponly-4.8.tgz#./configure-prefix=/usr/local/scponly-enable-chrooted-binary-enable-sftp-logging-compat-enable-scp-compat-enable-passwd-compat#make
gcc-g-O2-I.-I.-DHAVE_CONFIG_H-DDEBUGFILE='”/usr/local/scponly/etc/scponly/debuglevel”‘-oscponly.o-cscponly.cscponly.c:Infunction‘main’:scponly.c:226:9:warning:ignoringreturnvalueof‘fscanf’,declaredwithattributewarn_unused_result[-Wunused-result]gcc-g-O2-I.-I.-DHAVE_CONFIG_H-DDEBUGFILE='”/usr/local/scponly/etc/scponly/debuglevel”‘-ohelper.o-chelper.chelper.c:Infunction‘check_dangerous_args’:helper.c:233:6:error:#elifwithnoexpressionmake:***[helper.o]Error1
root@ubuntu:/tmp/scponly-4.8#vihelper.c
把第233行#elif改成#else再重新make
root@ubuntu:/tmp/scponly-4.8#make makeinstallroot@ubuntu:/tmp/scponly-4.8#echo/usr/local/scponly/sbin/scponlyc /etc/shellsroot@ubuntu:/tmp/scponly-4.8#ln-s/lib64/ld-linux-x86-64.so.2/lib/ld.soroot@ubuntu:/tmp/scponly-4.8#makejail#建立chroot用户、目录及上传文件夹,根据提示输入
-en Username to install [scponly]
mytest #要建的用户
-en home directory you wish to set for this user [/home/usertest]
#用户的目录
-en name of the writeable subdirectory [incoming]
www #用户上传的目录
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
– joe at sublimation dot org
please set the password for usertest:
Enter new UNIX password:
root@ubuntu:/tmp/scponly-4.8#mkdir/home/usertest/devroot@ubuntu:/tmp/scponly-4.8#cp-rp/dev/null/home/usertest/devroot@ubuntu:/tmp/scponly-4.8#mkdir/home/usertest/lib64/root@ubuntu:/tmp/scponly-4.8#cp/lib64/ld-linux-x86-64.so.2/home/usertest/lib64/root@ubuntu:/tmp/scponly-4.8#cp/lib/x86_64-linux-gnu/libnss_*-av/home/usertest/lib
注意:如果没有拷贝lib,就报错,类似:
scponly unknown user 1005 lost connection
好了,我们测试下
SSH
root@ubuntu:/home/mygod#sshusertest@18.92.185.2Theauthenticityofhost'18.92.185.2(18.92.185.2)'can'tbeestablished.ECDSAkeyfingerprintisc1:c2:6a:7a:68:c8:e5:a6:87:f4:9b:95:d5:fd:ff:09.Areyousureyouwanttocontinueconnecting(yes/no)?yesWarning:Permanentlyadded'18.92.185.2'(ECDSA)tothelistofknownhosts.usertest@18.92.185.2'spassword:WelcometoaliyunElasticComputeService!TheprogramsincludedwiththeUbuntusystemarefreesoftware;theexactdistributiontermsforeachprogramaredescribedintheindividualfilesin/usr/share/doc/*/copyright.UbuntucomeswithABSOLUTELYNOWARRANTY,totheextentpermittedbyapplicablelaw.Lastlogin:TueMay516:57:182015from183.11.156.185Connectionto18.92.185.2closed.
SFTP
root@ubuntu:/home/mygod#sftpusertest@18.92.185.2usertest@18.92.185.2'spassword:Connectedto18.92.185.2.sftp lsbindevetcliblib64usrwwwsftp cd/sftp lsbindevetcliblib64usrwwwsftp cd/rootCouldn'tcanonicalise:Nosuchfileordirectorysftp
SCP
root@ubuntu:/tmp#scpa.txtusertest@18.92.185.2:wwwusertest@18.92.185.2'spassword:a.txt100%40.0KB/s00:00
验证下目录锁定
root@ubuntu:/tmp#scpusertest@18.92.185.2:/etc/group./usertest@18.92.185.2'spassword:scp:/etc/group:Nosuchfileordirectory
人之相识,贵在相知;人之相知,贵在知心。
