限制SSH用户访问Linux中指定的目录
2017-07-07 13:59
666 查看
限制SSH用户访问Linux中指定的目录
http://os.51cto.com/art/201703/534895.htm#topx http://www.cnblogs.com/lykyl/archive/2011/03/10/1980304.html
采用ChrootDirectory设置需要注意
ChrootDirectory设置的目录及其所有的上级目录属主必须是root且只有属主能拥有写权限,也就是说权限最大设置只能是755。否则会报“fatal: bad ownership or modes for chroot directory”这样的错误。
用户目录下的链接文件失去作用。
useradd readonlyuser;echo -e "123456\n123456\n" |passwd readonlyuser
mkdir -p /ngbs/readonlyuser/dev/
cd /ngbs/readonlyuser/dev/
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8
chown root:root /ngbs/readonlyuser
chmod 0755 /ngbs/readonlyuser
mkdir -p /ngbs/readonlyuser/bin
cp /bin/bash /ngbs/readonlyuser/bin/
mkdir -p /ngbs/readonlyuser/lib64/
cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /ngbs/readonlyuser/lib64/
mkdir /ngbs/readonlyuser/etc
cp -f /etc/{passwd,group} /ngbs/readonlyuser/etc/
tail -1 /ngbs/readonlyuser/etc/passwd >/tmp/1.txt ;cat /tmp/1.txt > /ngbs/readonlyuser/etc/passwd
注意:每次向系统添加更多 SSH 用户时,都需要将更新的帐户文件复制到 /ngbs/readonlyuser/etc 目录中。
vi /etc/ssh/sshd_config
在此文件中添加或修改下面这些行。
# override default of no subsystems
Subsystem ssh /usr/bin/ssh #这里改为ssh
# Example of overriding settings on a per-user basis
Match User readonlyuser 改为Match User readonlyuser
Match User readonlyuser 下面加上这一行 ChrootDirectory /ngbs/readonlyuser
也就是下面这样
# override default of no subsystems
Subsystem ssh /usr/bin/ssh
# Example of overriding settings on a per-user basis
Match User readonlyuser
ChrootDirectory /ngbs/readonlyuser
# X11Forwarding no
# AllowTcpForwarding no
重启 sshd 服务:
/etc/init.d/sshd restart
接下来,在 bin 目录中安装几个用户命令
cp /bin/ls /ngbs/readonlyuser/bin/
cp /bin/cat /ngbs/readonlyuser/bin/
cp /bin/more /ngbs/readonlyuser/bin/
cp /usr/bin/less /ngbs/readonlyuser/bin/
cp /usr/bin/head /ngbs/readonlyuser/bin/
cp /usr/bin/tail /ngbs/readonlyuser/bin/
ldd /bin/ls
ldd /bin/cat
ldd /bin/more
ldd /usr/bin/less
ldd /usr/bin/head
ldd /usr/bin/tail
/bin/cp /lib64/{libselinux.so.1,librt.so.1,libcap.so.2,libacl.so.1,libc.so.6,libdl.so.2,ld-linux-x86-64.so.2,libpthread.so.0,libattr.so.1,libtinfo.so.5,libpcre.so.0} /ngbs/readonlyuser/lib64/
测试 SSH 的 chroot 监狱
ssh readonlyuser@192.168.0.10
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/log/* /ngbs/readonlyuser/log/
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/logs/* /ngbs/readonlyuser/logs/
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/phonelog/* /ngbs/readonlyuser/phonelog/
注意:如果是目录外做一个软链接到目录内是不行的,会报错 no such file or directory
ln -s /data/download /home/test
注意:sftp
30)外部子系统
我们可以配置一个外部的子系统,仅用于SSH-V2协议,一般这里使用sftp,如下:
Subsystem sftp /usr/libexec/openssh/sftp-server
如关闭该选项,将无法使用sftp.
我们看一下使用sftp的通讯过程,如下:
sftp -v 192.168.27.142 /*采用sftp的方式连接ssh服务端*/
Connecting to 192.168.27.142...
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.27.142' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
root@192.168.27.142's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending subsystem: sftp /*在这里启用了sftp子系统*/
sftp>
我们看一下服务端的进程:
ps -ef|grep ssh
avahi 1133 1 0 03:08 ? 00:00:00 avahi-daemon: registering [ssh-server.local]
root 1718 1 0 03:14 ? 00:00:00 sshd: root@pts/0
root 2005 1 0 03:50 ? 00:00:00 /usr/sbin/sshd
root 2023 2005 0 03:52 ? 00:00:00 sshd: root@notty
root 2025 2023 0 03:52 ? 00:00:00 /usr/libexec/openssh/sftp-server
注:
我们看到服务端启用了sftp-server为sftp客户请求服务.
http://os.51cto.com/art/201703/534895.htm#topx http://www.cnblogs.com/lykyl/archive/2011/03/10/1980304.html
采用ChrootDirectory设置需要注意
ChrootDirectory设置的目录及其所有的上级目录属主必须是root且只有属主能拥有写权限,也就是说权限最大设置只能是755。否则会报“fatal: bad ownership or modes for chroot directory”这样的错误。
用户目录下的链接文件失去作用。
useradd readonlyuser;echo -e "123456\n123456\n" |passwd readonlyuser
mkdir -p /ngbs/readonlyuser/dev/
cd /ngbs/readonlyuser/dev/
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8
chown root:root /ngbs/readonlyuser
chmod 0755 /ngbs/readonlyuser
mkdir -p /ngbs/readonlyuser/bin
cp /bin/bash /ngbs/readonlyuser/bin/
mkdir -p /ngbs/readonlyuser/lib64/
cp /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /ngbs/readonlyuser/lib64/
mkdir /ngbs/readonlyuser/etc
cp -f /etc/{passwd,group} /ngbs/readonlyuser/etc/
tail -1 /ngbs/readonlyuser/etc/passwd >/tmp/1.txt ;cat /tmp/1.txt > /ngbs/readonlyuser/etc/passwd
注意:每次向系统添加更多 SSH 用户时,都需要将更新的帐户文件复制到 /ngbs/readonlyuser/etc 目录中。
vi /etc/ssh/sshd_config
在此文件中添加或修改下面这些行。
# override default of no subsystems
Subsystem ssh /usr/bin/ssh #这里改为ssh
# Example of overriding settings on a per-user basis
Match User readonlyuser 改为Match User readonlyuser
Match User readonlyuser 下面加上这一行 ChrootDirectory /ngbs/readonlyuser
也就是下面这样
# override default of no subsystems
Subsystem ssh /usr/bin/ssh
# Example of overriding settings on a per-user basis
Match User readonlyuser
ChrootDirectory /ngbs/readonlyuser
# X11Forwarding no
# AllowTcpForwarding no
重启 sshd 服务:
/etc/init.d/sshd restart
接下来,在 bin 目录中安装几个用户命令
cp /bin/ls /ngbs/readonlyuser/bin/
cp /bin/cat /ngbs/readonlyuser/bin/
cp /bin/more /ngbs/readonlyuser/bin/
cp /usr/bin/less /ngbs/readonlyuser/bin/
cp /usr/bin/head /ngbs/readonlyuser/bin/
cp /usr/bin/tail /ngbs/readonlyuser/bin/
ldd /bin/ls
ldd /bin/cat
ldd /bin/more
ldd /usr/bin/less
ldd /usr/bin/head
ldd /usr/bin/tail
/bin/cp /lib64/{libselinux.so.1,librt.so.1,libcap.so.2,libacl.so.1,libc.so.6,libdl.so.2,ld-linux-x86-64.so.2,libpthread.so.0,libattr.so.1,libtinfo.so.5,libpcre.so.0} /ngbs/readonlyuser/lib64/
测试 SSH 的 chroot 监狱
ssh readonlyuser@192.168.0.10
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/log/* /ngbs/readonlyuser/log/
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/logs/* /ngbs/readonlyuser/logs/
*/1 * * * * /usr/bin/rsync -a /ngbs/local/JmCash/phonelog/* /ngbs/readonlyuser/phonelog/
注意:如果是目录外做一个软链接到目录内是不行的,会报错 no such file or directory
ln -s /data/download /home/test
注意:sftp
30)外部子系统
我们可以配置一个外部的子系统,仅用于SSH-V2协议,一般这里使用sftp,如下:
Subsystem sftp /usr/libexec/openssh/sftp-server
如关闭该选项,将无法使用sftp.
我们看一下使用sftp的通讯过程,如下:
sftp -v 192.168.27.142 /*采用sftp的方式连接ssh服务端*/
Connecting to 192.168.27.142...
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.27.142' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
root@192.168.27.142's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending subsystem: sftp /*在这里启用了sftp子系统*/
sftp>
我们看一下服务端的进程:
ps -ef|grep ssh
avahi 1133 1 0 03:08 ? 00:00:00 avahi-daemon: registering [ssh-server.local]
root 1718 1 0 03:14 ? 00:00:00 sshd: root@pts/0
root 2005 1 0 03:50 ? 00:00:00 /usr/sbin/sshd
root 2023 2005 0 03:52 ? 00:00:00 sshd: root@notty
root 2025 2023 0 03:52 ? 00:00:00 /usr/libexec/openssh/sftp-server
注:
我们看到服务端启用了sftp-server为sftp客户请求服务.
![](https://images2015.cnblogs.com/blog/572343/201707/572343-20170711100206478-913118186.jpg)
相关文章推荐
- Linux监狱限制SSH用户访问指定目录(一)
- Linux 限制SFTP用户只能访问某个目录
- vsftpd添加用户并限制目录(指定用户访问指定目录)
- Linux安装配置FTP,用户登陆后只允许访问指定的目录。并解决vsftpd的”530 Login incorrect”错误
- Linux 阿里云 AliyunOS 系统 限制 用户 访问目录
- linux上搭建ftp、vsftp, 解决访问ftp超时连接, 解决用户指定访问其根目录,解决ftp主动连接、被动连接的问题
- 使用 ACL 设置用户访问指定文件/目录的权限 | Linux 中国
- [ASP.NET2.0]限制web用户对指定目录下的特定类型文件的访问
- linux 创建用户并限制其访问目录
- Linux 限制SFTP用户只能访问某个目录
- Linux SSH Sftp 限制用户访问权限
- 用ChrootDirectory限制SFTP登录的用户只能访问指定目录且不能进行ssh登录
- linux 中判断指定用户对指定目录的访问权限
- 控制Linux用户可以用ftp连接指定目录,并且不能用ssh连接
- linux下创建用户组与用户 只能访问指定目录的方法 以及FTP用户配置详解
- docker-预告-ssh限制用户访问目录
- vsftpd添加用户并限制目录(指定用户访问指定目录)
- vsftpd添加用户并限制目录(指定用户访问指定目录)
- solaris10限制用户访问其他目录
- linux限制root用户远程ssh登录