Under Linux SFTP user permission setting condition and implementation command
- 2020-05-06 12:08:58
- OfStack
It is well known that the SFTP account is based on the SSH account, so the permission to access the server is very large by default.
prerequisite :
Your version of openssh-server will lose at least 4.8p1, because the configuration permissions require the new configuration entry ChrootDirectory added to the version to do this.
How do I view the ssh version on my server? You can try the following command:
$ ssh -V
Specific implementation steps:
1. We need to create a user group for sftp users
$ groupadd sftpusers
2. We create a user test
$ useradd -s /bin/false -G sftpuser test
Note here that we have set shell of test user to /bin/false so that he does not have access to
of shell 3. Edit /etc/ssh/sshd_config
Find the Subsystem configuration item and change it to
Subsystem sftp internal-sftp
Then go to the end of the file and add configuration Settings so that users belonging to the sftpusers group can only access their own home folder,
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Save and close the file
4. Modify the permissions of test user home folder to belong to root user
chown root ~test
5. Restart sshd service
$ service sshd restart
6. Test the user account
$ ssh test@localhost
Connections will be denied or
cannot be logged in $ sftp tesst@localhost
After you log in, you will find that your account cannot be switched to
in a place other than your home directory Frequently asked questions:
If you link to a server, the following prompt appears:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
The reason for this problem is the permission problem of ChrootDirectory, the directory you set must be owned by root users, otherwise there will be a problem. So make sure that the sftp user root directory is owned by root with permissions of 750 or 755.
prerequisite :
Your version of openssh-server will lose at least 4.8p1, because the configuration permissions require the new configuration entry ChrootDirectory added to the version to do this.
How do I view the ssh version on my server? You can try the following command:
$ ssh -V
Specific implementation steps:
1. We need to create a user group for sftp users
$ groupadd sftpusers
2. We create a user test
$ useradd -s /bin/false -G sftpuser test
Note here that we have set shell of test user to /bin/false so that he does not have access to
of shell 3. Edit /etc/ssh/sshd_config
Find the Subsystem configuration item and change it to
Subsystem sftp internal-sftp
Then go to the end of the file and add configuration Settings so that users belonging to the sftpusers group can only access their own home folder,
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Save and close the file
4. Modify the permissions of test user home folder to belong to root user
chown root ~test
5. Restart sshd service
$ service sshd restart
6. Test the user account
$ ssh test@localhost
Connections will be denied or
cannot be logged in $ sftp tesst@localhost
After you log in, you will find that your account cannot be switched to
in a place other than your home directory Frequently asked questions:
If you link to a server, the following prompt appears:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
The reason for this problem is the permission problem of ChrootDirectory, the directory you set must be owned by root users, otherwise there will be a problem. So make sure that the sftp user root directory is owned by root with permissions of 750 or 755.