Outro exemplo de servidor SFTP
chroot directory is: /usr/sftp/i-sftp
user home directory is: /home/<username> relative the chroot oath.
user’s primary group is sftp-only
make sure the entire chroot path is owned by root:root
ls -ld /usr
ls -ld /usr/sftp
ls -ld /usr/sftp/i-sftp
chown as necessary
create the user home directory
$ sudo mkdir -p /usr/sftp/i-sftp/home/<username>
$ sudo chown <username>:stfp-only
add to sshd_config
Match Group sftp-only
ChrootDirectory /usr/sftp/i-sftp
ForceCommand internal-sftp -l VERBOSE
GSSAPIAuthentication no
PasswordAuthentication yes (no if not using password auth)
PubkeyAuthentication yes (no if keys not allowed)
AuthorizedKeysFile /usr/sftp/i-sftp/.ssh/authorized_keys
AllowTcpForwarding no
AllowAgentForwarding no
X11Forwarding no
Create a directory for the log socket. It needs to be 0755 (dwxr-xr-x) so internal-sftp running in user state can write to the log.
$ sudo mkdir -m 0755 /usr/sftp/i-sftp/dev
Add to /etc/rsyslog.conf
$AddUnixListenSocket /usr/sftp/i-sftp/dev/log
if $programname == ‘sshd’ then /var/log/sshd.log
if $programname == ‘sshd’ then ~
if $programname == ‘internal-sftp’ then /var/log/sshd.log
if $programname == ‘internal-sftp’ then ~
restart rsyslog
$ sudo service rsyslog restart
Now all sshd and internal-sftp messages will go to /var/log/sshd.log
Don’t forget to add sshd.log to logrotate.
For key authentication add a .ssh directory and create the authorized_keys file. This must also be owned by root:root. Because it must be readable by non-root users the permission are a little less strict than usual.
$ sudo mkdir -p -m 0755 /usr/sftp/i-sftp/.ssh
$ sudo touch /usr/sftp/i-sftp/.ssh/authorized_keys
$ sudo chmod 0422 /usr/sftp/i-sftp/.ssh/authorized_keys
Add the necessary public keys to the authorized_keys file
The authorized_keys file will be readable by anyone logged in on the server. The file contains public keys so it is not critical that are kept secret. It MAY be possible to move the authorized_keys file outside the chroot.
Sobre o Autor