sftp

Outro exemplo de servidor SFTP

  chroot directory is: /usr/sftp/i-sftp user home directory is: /home/<username> relative the chroot oath. user's primary group is sftp-only make sure the entire chroot path is owned by root:root ls -ld /usr ls -ld /usr/sftp ls -ld /usr/sftp/i-sftp chown as necessary create the user home directory $ sudo mkdir -p /usr/sftp/i-sftp/home/<username> $ sudo chown <username>:stfp-only add to sshd_config Match Group sftp-only ChrootDirectory /usr/sftp/i-sftp ForceCommand internal-sftp -l VERBOSE GSSAPIAuthentication no PasswordAuthentication yes (no if not using password auth) PubkeyAuthentication yes (no if keys not allowed) AuthorizedKeysFile /usr/sftp/i-sftp/.ssh/authorized_keys AllowTcpForwarding no AllowAgentForwarding no X11Forwarding no Create a directory for the log socket. It needs to be 0755 (dwxr-xr-x) so internal-sftp running in user state can write to the log. $ sudo mkdir -m 0755 /usr/sftp/i-sftp/dev Add to /etc/rsyslog.conf $AddUnixListenSocket /usr/sftp/i-sftp/dev/log if $programname == 'sshd' then /var/log/sshd.log if $programname == 'sshd' then ~ if $programname == 'internal-sftp' then /var/log/sshd.log if $programname == 'internal-sftp' then ~ restart rsyslog $ sudo service rsyslog restart Now all sshd and internal-sftp messages will go to /var/log/sshd.log Don't forget to add sshd.log to logrotate. For key authentication add a .ssh directory and create the authorized_keys file. This must also be owned by root:root. Because it must be readable by non-root users the permission are a little less strict than usual. $ sudo mkdir -p -m 0755 /usr/sftp/i-sftp/.ssh $ sudo touch /usr/sftp/i-sftp/.ssh/authorized_keys $ sudo chmod 0422 /usr/sftp/i-sftp/.ssh/authorized_keys Add the necessary public keys to the authorized_keys file The authorized_keys file will be readable by anyone logged in on the server. The file contains public keys so it is not critical that are kept secret. It MAY be possible to move the authorized_keys file outside the chroot.