CentOS上搭建SFTP
<h1 align="center"><strong><span style="font-family: Calibri">CentOS</span><span style="font-family: 宋体">上搭建</span><span style="font-family: Calibri">SFTP</span></strong></h1><p> </p>
<p><span style="font-family: 宋体">在</span><span style="font-family: Calibri">CentOS</span><span style="font-family: 宋体">上安装</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">服务通常是通过安装</span><span style="font-family: Calibri">OpenSSH</span><span style="font-family: 宋体">来实现的,因为</span><span style="font-family: Calibri">OpenSSH</span><span style="font-family: 宋体">默认提供了</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">功能。以下是在</span><span style="font-family: Calibri">CentOS</span><span style="font-family: 宋体">上安装</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">的步骤:</span></p>
<p> </p>
<h2><strong>一、</strong><strong><span style="font-family: 黑体">安装</span><span style="font-family: Arial">OpenSSH</span><span style="font-family: 黑体">服务器:</span></strong></h2>
<p><span style="font-family: Calibri">sudo yum install openssh-server</span></p>
<p><span style="font-family: 宋体">启动</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务:</span></p>
<p><span style="font-family: Calibri">sudo systemctl start sshd</span></p>
<p><span style="font-family: 宋体">确保</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务随系统启动而启动:</span></p>
<p><span style="font-family: Calibri">sudo systemctl enable sshd</span></p>
<p><span style="font-family: 宋体">检查</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务状态:</span></p>
<p><span style="font-family: Calibri">sudo systemctl status sshd</span></p>
<p><span style="font-family: 宋体">这将显示</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务是否正在运行以及其他相关信息。</span></p>
<p><span style="font-family: 宋体">现在,你的</span><span style="font-family: Calibri">CentOS</span><span style="font-family: 宋体">服务器上应该已经安装并运行了</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">服务。你可以使用任何支持</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">的客户端(如</span><span style="font-family: Calibri">WinSCP</span><span style="font-family: 宋体">、</span><span style="font-family: Calibri">FileZilla</span><span style="font-family: 宋体">等)连接到服务器。确保使用</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">协议(端口</span><span style="font-family: Calibri">22</span><span style="font-family: 宋体">)进行连接,并使用具有适当权限的用户凭据进行身份验证。</span></p>
<p> </p>
<h2><strong><span style="font-family: 黑体">二、配置</span><span style="font-family: Arial">sftp</span><span style="font-family: 黑体">用户、访问目录等</span></strong></h2>
<p><span style="font-family: 宋体">下面是一个完整的例子,假设我们要创建一个名为</span><span style="font-family: Calibri">sftpuser</span><span style="font-family: 宋体">的用户,限制他只能访问</span><span style="font-family: Calibri">/sftp</span><span style="font-family: 宋体">目录,并且使用特定的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">配置文件。</span></p>
<p> </p>
<p><span style="font-family: 宋体">创建</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">用户:</span></p>
<p><span style="font-family: Calibri">sudo useradd -m -s /sbin/nologin sftpuser</span></p>
<p>设置用户密码:</p>
<p><span style="font-family: Calibri">sudo passwd sftpuser</span></p>
<p><span style="font-family: 宋体">创建用户的</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">根目录:</span></p>
<p><span style="font-family: Calibri">sudo mkdir /sftp</span></p>
<p>设置根目录的权限(<span style="font-family: 宋体">根目录必须是</span><span style="font-family: Calibri">root</span><span style="font-family: 宋体">用户,否则</span><span style="font-family: Calibri">sftp</span><span style="font-family: 宋体">连接不上</span>):</p>
<p><span style="font-family: Calibri">sudo chown root:root /sftp</span></p>
<p><span style="font-family: Calibri">sudo chmod 755 /sftp</span></p>
<p><span style="font-family: 宋体">在根目录下层建立子目录方可以写入</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">根目录只能读取不能写入</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">因为根目录必须是</span><span style="font-family: Calibri">root</span><span style="font-family: 宋体">用户,而</span><span style="font-family: Calibri">sftp</span><span style="font-family: 宋体">访问的用户却是我们新建的</span><span style="font-family: Calibri">sftpuser)</span></p>
<p><span style="font-family: Calibri">mkdir /sftp/sharedata</span></p>
<p><span style="font-family: Calibri">chown sftpuser:sftpuser /sftp/sharedata</span></p>
<p> </p>
<p><span style="font-family: 宋体">创建新用户自定义</span><span style="font-family: Calibri">ssh</span><span style="font-family: 宋体">配置</span></p>
<p>简单点直接修改<span style="font-family: Calibri">/etc/ssh/sshd_config</span><span style="font-family: 宋体">也可以</span><span style="font-family: Calibri">,</span><span style="font-family: 宋体">这样服务启动选项</span><span style="font-family: Calibri">sshd.service</span><span style="font-family: 宋体">就不用改了</span></p>
<p><span style="font-family: 宋体">创建用户的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">配置文件目录:</span></p>
<p><span style="font-family: Calibri">sudo mkdir /home/sftpuser/.ssh</span></p>
<p><span style="font-family: 宋体">复制系统</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">配置文件到用户目录:</span></p>
<p><span style="font-family: Calibri">sudo cp /etc/ssh/sshd_config /home/sftpuser/.ssh/sshd_config</span></p>
<p><span style="font-family: 宋体">编辑用户的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">配置文件:</span></p>
<p><span style="font-family: Calibri">sudo </span><span style="font-family: Calibri">vi</span> <span style="font-family: Calibri">/home/sftpuser/.ssh/sshd_config</span></p>
<p><span style="font-family: 宋体">在这个文件中,确保你有适当的配置,例如使用</span><span style="font-family: Calibri">ChrootDirectory</span><span style="font-family: 宋体">限制用户访问,以及其他任何你想要自定义的配置。</span><span style="font-family: 宋体">注意将这个配置节放到最后,否则老是报错:</span> <span style="font-family: Calibri">"Directive 'UseDNS' is not allowed within a Match block" </span><span style="font-family: 宋体">表明在 </span><span style="font-family: Calibri">Match </span><span style="font-family: 宋体">块中不允许使用 </span><span style="font-family: Calibri">UseDNS </span><span style="font-family: 宋体">这个指令。</span></p>
<p><span style="font-family: Calibri">Match User sftpuser</span></p>
<p> <span style="font-family: Calibri">ChrootDirectory /sftp</span></p>
<p> <span style="font-family: Calibri">ForceCommand internal-sftp</span></p>
<p> <span style="font-family: Calibri">AllowTcpForwarding no</span></p>
<p><span style="font-family: Calibri">X11Forwarding no</span></p>
<p> </p>
<p>给新用户的用户目录递归设置归属</p>
<p><span style="font-family: Calibri">chown -R sftpuser:sftpuser </span><span style="font-family: Calibri">/home/sftpuser</span></p>
<p>给配置文件设置读取权限</p>
<p><span style="font-family: Calibri">chmod 755 </span><span style="font-family: Calibri">/home/sftpuser/.ssh/sshd_config</span></p>
<p> </p>
<p><span style="font-family: 宋体">修改</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务启动选项</span></p>
<p><span style="font-family: 宋体">打开</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务的启动选项文件</span><span style="font-family: 宋体">,可以使用</span><span style="font-family: Calibri">systemctl status sshd</span><span style="font-family: 宋体">查看找到</span><span style="font-family: Calibri">(</span><span style="font-family: 宋体">通常在 </span><span style="font-family: Calibri">/etc/systemd/system/sshd.service </span><span style="font-family: 宋体">或 </span><span style="font-family: Calibri">/etc/init.d/sshd </span><span style="font-family: 宋体">或</span><span style="font-family: Calibri">/usr/lib/systemd/system/sshd.service)</span>,并修改为:</p>
<p><span style="font-family: Calibri">ExecStart=/usr/sbin/sshd -f /home/sftpuser/.ssh/sshd_config -D $OPTIONS</span></p>
<p>或者</p>
<p><span style="font-family: Calibri">/usr/sbin/sshd -f /home/sftpuser/.ssh/sshd_config $OPTIONS</span></p>
<p><span style="font-family: 宋体">重新加载</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务:</span></p>
<p><span style="font-family: Calibri">systemctl daemon-reload</span></p>
<p><span style="font-family: Calibri">systemctl re</span><span style="font-family: Calibri">start</span> <span style="font-family: Calibri">sshd</span></p>
<p><span style="font-family: 宋体">现在,用户</span><span style="font-family: Calibri">sftpuser</span><span style="font-family: 宋体">被限制在</span><span style="font-family: Calibri">sftp</span><span style="font-family: 宋体">目录下,并且只能使用</span><span style="font-family: Calibri">SFTP</span><span style="font-family: 宋体">进行文件传输。他们的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">配置文件位于</span><span style="font-family: Calibri">/home/sftpuser/.ssh/sshd_config</span><span style="font-family: 宋体">,这样他们可以自定义他们的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">行为而不影响其他用户或系统级别的配置。</span></p>
<p> </p>
<p>查看错误日志:</p>
<p><span style="font-family: 宋体">检查系统日志:如果问题仍然存在,请查看系统日志文件,如</span> /var/log/auth.log <span style="font-family: 宋体">或 </span><span style="font-family: Calibri">/var/log/secure</span><span style="font-family: 宋体">,以获取有关写入文件失败的详细信息。日志文件中可能会提供关于出现问题的原因的线索。</span></p>
<p> </p>
<h2><strong><span style="font-family: 黑体">三、多</span><span style="font-family: Arial">SFTP</span><span style="font-family: 黑体">用户如何配置</span></strong></h2>
<p><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务启动选项只能指定一个配置文件。如果你想要为多个用户指定不同的配置,你需要为每个用户创建单独的配置文件,并在启动选项中指定这些文件。</span></p>
<p> </p>
<p><span style="font-family: 宋体">例如,如果你有两个用户</span> <span style="font-family: Calibri">sftpuser1 </span><span style="font-family: 宋体">和 </span><span style="font-family: Calibri">sftpuser2</span><span style="font-family: 宋体">,你可以为他们分别创建不同的配置文件,然后在</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务的启动选项中指定这些文件。</span></p>
<p> </p>
<p>为每个用户创建配置文件:</p>
<p><span style="font-family: Calibri">sudo cp /etc/ssh/sshd_config /home/sftpuser1/.ssh/sshd_config</span></p>
<p><span style="font-family: Calibri">sudo cp /etc/ssh/sshd_config /home/sftpuser2/.ssh/sshd_config</span></p>
<p>编辑每个用户的配置文件并根据需要进行自定义:</p>
<p><span style="font-family: Calibri">sudo </span><span style="font-family: Calibri">vi</span> <span style="font-family: Calibri">/home/sftpuser1/.ssh/sshd_config</span></p>
<p> </p>
<p><span style="font-family: Calibri">Match User sftpuser1</span></p>
<p> <span style="font-family: Calibri">ChrootDirectory /sftp</span></p>
<p> <span style="font-family: Calibri">ForceCommand internal-sftp</span></p>
<p> <span style="font-family: Calibri">AllowTcpForwarding no</span></p>
<p> <span style="font-family: Calibri">X11Forwarding no</span></p>
<p> </p>
<p><span style="font-family: Calibri">sudo </span><span style="font-family: Calibri">vi</span> <span style="font-family: Calibri">/home/sftpuser2/.ssh/sshd_config</span></p>
<p> </p>
<p><span style="font-family: Calibri">Match User sftpuser2</span></p>
<p> <span style="font-family: Calibri">ChrootDirectory /sftp/other_directory</span></p>
<p> <span style="font-family: Calibri">ForceCommand internal-sftp</span></p>
<p> <span style="font-family: Calibri">AllowTcpForwarding no</span></p>
<p> <span style="font-family: Calibri">X11Forwarding no</span></p>
<p><span style="font-family: 宋体">修改</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">服务的启动选项,分别指定每个用户的配置文件:</span></p>
<p><span style="font-family: Calibri">ExecStart=/usr/sbin/sshd -f /home/sftpuser1/.ssh/sshd_config -f /home/sftpuser2/.ssh/sshd_config -D $OPTIONS</span></p>
<p>或者</p>
<p><span style="font-family: Calibri">/usr/sbin/sshd -f /home/sftpuser1/.ssh/sshd_config -f /home/sftpuser2/.ssh/sshd_config $OPTIONS</span></p>
<p><span style="font-family: 宋体">这样配置后,每个用户将使用自己的配置文件,可以分别定制他们的</span><span style="font-family: Calibri">SSH</span><span style="font-family: 宋体">行为。</span></p><br><br>
来源:https://www.cnblogs.com/hdwang/p/18186365
頁:
[1]