Linux shell 将 sftp 用户限制到他们的主目录?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1526919/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Linux shell to restrict sftp users to their home directories?
提问by MrFidge
I need to give SFTP access to a directory within my webroot on my server. I've set up ben_files as a user and have set his home directory to
我需要让 SFTP 访问我服务器上 webroot 中的目录。我已经将 ben_files 设置为用户并将他的主目录设置为
/var/www/vhosts/mydomain.com/files
/var/www/vhosts/mydomain.com/files
That's all fine if he connects with plain old FTP - he's restricted just to that directory, but to enable SFTP i had to add him to bin/bash shell, which suddenly opens up my entire server...
如果他与普通的旧 FTP 连接,那一切都很好 - 他仅限于该目录,但是要启用 SFTP,我必须将他添加到 bin/bash shell,这突然打开了我的整个服务器......
Is there a way of giving him SFTP access but without opening up all my directories? I'd really like him restricted to only his home ;)
有没有办法给他 SFTP 访问权限但不打开我所有的目录?我真的希望他仅限于他的家;)
Thanks!
谢谢!
采纳答案by ephemient
OpenSSH≥4.8 supports a ChrootDirectorydirective.
OpenSSH≥4.8 支持一个ChrootDirectory指令。
Add to /etc/sshd_configor /etc/ssh/sshd_configor whatever your setup's global sshdconfig file is:
添加到/etc/sshd_config或/etc/ssh/sshd_config任何您的设置的全局sshd配置文件是:
Match user ben_files
# The following two directives force ben_files to become chrooted
# and only have sftp available. No other chroot setup is required.
ChrootDirectory /var/www/vhosts/mydomain.com/files
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
回答by Paused until further notice.
You might try setting his shell to /bin/rbash
您可以尝试将他的外壳设置为 /bin/rbash
RESTRICTED SHELL If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. It behaves identically to bash with the exception that the following are disallowed or not performed:
· changing directories with cd
RESTRICTED SHELL 如果 bash 以名称 rbash 启动,或者在调用时提供了 -r 选项,则 shell 将受到限制。受限 shell 用于设置比标准 shell 更受控制的环境。它的行为与 bash 相同,除了以下内容被禁止或不执行:
· changing directories with cd
plus more...
加上更多...
Make sure you fully understand what is allowed and disallowed before you use this.
在使用它之前,请确保您完全了解允许和禁止的内容。
回答by Ned Deily
回答by rvs
Use pam_chroot.
使用 pam_chroot。
Here is a good manual: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
这是一个很好的手册:http: //www.howtoforge.com/chroot_ssh_sftp_debian_etch
回答by DotrainExpress
You can also set the users shell to /bin/false by using:
您还可以使用以下命令将用户 shell 设置为 /bin/false:
usermod -s /bin/false username
usermod -s /bin/false 用户名
Restricts them from ssh'ing in and can only sftp (or ftp, if it's setup)
限制他们通过 ssh 进入并且只能 sftp(或 ftp,如果它已设置)
I use this for sftp usres, along with the mentioned chroot setup (covered by other answers).
我将它用于 sftp usres,以及提到的 chroot 设置(由其他答案覆盖)。
